OS-MOBILE -- Snort has detected traffic targeting vulnerabilities in a mobile-based operating system. This does not include browser traffic or other software on the OS, but attacks against the OS itself. (such as?)
OS-MOBILE Google Android libstagefright integer underflow attempt
This event is generated when a malicious MPEG-4 file attempts to trigger an integer overflow in Android's libstagefright library.
Android's Stagefright library is a core library used for playing multimedia formats. It is in this library that an integer overflow vulnerable exists due to the MPEG4Extractor::parseChunk function located in the MPEG4Extractor.cpp failing to properly validate the size of the chunks specified by a MPEG-4 file. Attackers are then able to trigger the vulnerability via a specially crafted MPEG-4 file and achieve arbitrary code execution.
Ease of Attack:
What To Look For
No public information
No known false positives
Cisco Talos Intelligence Group
MITRE ATT&CK Framework
For reference, see the MITRE ATT&CK vulnerability types here:
CVE Additional Information
CVE-2015-3864Integer underflow in the MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libstagefright in mediaserver in Android before 5.1.1 LMY48M allows remote attackers to execute arbitrary code via crafted MPEG-4 data, aka internal bug 23034759. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3824.
||Ease of Access||