Rule Category

OS-MOBILE -- Snort has detected traffic targeting vulnerabilities in a mobile-based operating system. This does not include browser traffic or other software on the OS, but attacks against the OS itself. (such as?)

Alert Message

OS-MOBILE Google Android libstagefright integer underflow attempt

Rule Explanation

This event is generated when a malicious MPEG-4 file attempts to trigger an integer overflow in Android's libstagefright library. Impact: High Details: Android's Stagefright library is a core library used for playing multimedia formats. It is in this library that an integer overflow vulnerable exists due to the MPEG4Extractor::parseChunk function located in the MPEG4Extractor.cpp failing to properly validate the size of the chunks specified by a MPEG-4 file. Attackers are then able to trigger the vulnerability via a specially crafted MPEG-4 file and achieve arbitrary code execution. Ease of Attack: Simple

What To Look For

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

MITRE ATT&CK Framework

Tactic:

Technique:

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

CVE

Rule Vulnerability

CVE Additional Information

CVE-2015-3864
Integer underflow in the MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libstagefright in mediaserver in Android before 5.1.1 LMY48M allows remote attackers to execute arbitrary code via crafted MPEG-4 data, aka internal bug 23034759. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3824.
Details
SeverityHIGH Base Score10.0
Impact Score10.0 Exploit Score10.0
Confidentiality ImpactCOMPLETE Integrity ImpactCOMPLETE
Availability ImpactCOMPLETE Access Vector
AuthenticationNONE Ease of Access