ID
VAR-E-201805-0081
CVE
| cve_id: | CVE-2018-10751 | Trust: 1.5 |
EDB ID
44724
TITLE
Samsung Galaxy S7 Edge - Overflow in OMACP WbXml String Extension Processing - Android dos Exploit
Trust: 0.6
DESCRIPTION
Samsung Galaxy S7 Edge - Overflow in OMACP WbXml String Extension Processing. CVE-2018-10751 . dos exploit for Android platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | samsung | model: | galaxy s7 edge | scope: | - | version: | - | Trust: 1.6 |
| vendor: | samsung | model: | galaxy s7 edge omacp wbxml string extension processing | scope: | - | version: | - | Trust: 0.5 |
EXPLOIT
OMACP is a protocol supported by many mobile devices which allows them to receive provisioning information over the mobile network. One way to provision a device is via a WAP push SMS message containing provisioning information in WbXML.
A malformed OMACP WAP push message can cause memory corruption on a Samsung S7 Edge device when processing the String Extension portion of the WbXml payload. This is due to an integer overflow in memory allocation for this string.
While OMACP WAP pushes require authentication, the entire WbXml payload of a push is parsed to extract the credentials, so this bug occurs pre-authentication.
To reproduce the issue:
1) install the attached Android application on a different phone than the one being tested for the issue
2) manually give the application SMS permissions in the settings screen
3) start the app and enter the phone number on the target device
4) press the "send wap push" button
The target phone will crash:
02-20 15:52:56.952 15197 15197 F DEBUG : pid: 15180, tid: 15196, name: IntentService[S >>> com.wsomacp <<<
02-20 15:52:56.952 15197 15197 F DEBUG : signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x731a800000
The WAP payload causing this problem is:
690b6d0733b401506694f4c6504cf6be7224df6199a9c0ec4b76db1f6e262c457fc0553dbb50863dfce2d5c55077c3ffffffff7f777777770A0604B6B6B6B6.
Code for the test app is also attached.
This was tested on Samsung build number NRD90M.G93FXXU1DQJ8, which is the most recent update on my device
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/44724.zip
Trust: 1.0
EXPLOIT LANGUAGE
txt
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Overflow in OMACP WbXml String Extension Processing
Trust: 1.6
TAGS
| tag: | exploit | Trust: 0.5 |
| tag: | overflow | Trust: 0.5 |
CREDITS
Google Security Research
Trust: 0.6
EXTERNAL IDS
| db: | EXPLOIT-DB | id: | 44724 | Trust: 1.6 |
| db: | NVD | id: | CVE-2018-10751 | Trust: 1.5 |
| db: | EDBNET | id: | 97962 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 147841 | Trust: 0.5 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2018-10751 | Trust: 1.5 |
| url: | https://bugs.chromium.org/p/project-zero/issues/detail?id=1532 | Trust: 1.0 |
| url: | https://www.exploit-db.com/exploits/44724/ | Trust: 0.6 |
SOURCES
| db: | PACKETSTORM | id: | 147841 |
| db: | EXPLOIT-DB | id: | 44724 |
| db: | EDBNET | id: | 97962 |
LAST UPDATE DATE
2022-07-27T09:53:53.767000+00:00
SOURCES RELEASE DATE
| db: | PACKETSTORM | id: | 147841 | date: | 2018-05-24T17:41:50 |
| db: | EXPLOIT-DB | id: | 44724 | date: | 2018-05-23T00:00:00 |
| db: | EDBNET | id: | 97962 | date: | 2018-05-23T00:00:00 |