CVE-2015-7895
medium
CVSS v3
5.5
CVSS v4 NEW
โ
VIR risk
6.5
Description
Samsung Gallery on the Samsung Galaxy S6 allows local users to cause a denial of service (process crash).
Predictions
Exploit likelihood
55%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Samsung Galaxy S6 Samsung Gallery - Bitmap Decoding Crash
Source: https://code.google.com/p/google-security-research/issues/detail?id=497
Loading the bitmap bmp_memset.bmp can cause a crash due to a memset writing out of bounds.
I/DEBUG ( 2961): pid: 12383, tid: 12549, name: thread-pool-1 >>> com.sec.android.gallery3d <<<
I/DEBUG ( 2961): signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x89e84000
I/DEBUG ( 2961): x0 0000000089e8117c x1 00000000000000ff x2 00000000177fe13c x3 0000000089e8117c
I/DEBUG ( 2961): x4 0000000000000004 x5 0000007f65f42300 x6 0000000000000002 x7 ffffffffffffffff
I/DEBUG ( 2961): x8 0000000089e83ff0 x9 0000007f65f020b0 x10 000000000000003c x11 000000000000003b
I/DEBUG ( 2961): x12 0000007f65f02080 x13 00000000ffffffff x14 0000007f65f02080 x15 00000000000061e0
I/DEBUG ( 2961): x16 0000007f6baccc10 x17 0000007f958f8d80 x18 0000007f9596da40 x19 0000007f65f0e180
I/DEBUG ( 2961): x20 0000007f65f54020 x21 00000000002f0020 x22 0000000000000020 x23 0000000005e00400
I/DEBUG ( 2961): x24 0000000000000004 x25 0000007f65f42300 x26 0000000000000020 x27 0000007f65f52080
I/DEBUG ( 2961): x28 00000000000001da x29 0000000013071460 x30 0000007f6ba7e40c
I/DEBUG ( 2961): sp 0000007f66796130 pc 0000007f958f8e28 pstate 0000000020000000
I/DEBUG ( 2961):
I/DEBUG ( 2961): backtrace:
I/InjectionManager(12532): Inside getClassLibPath caller
I/DEBUG ( 2961): #00 pc 0000000000019e28 /system/lib64/libc.so (memset+168)
I/DEBUG ( 2961): #01 pc 0000000000030408 /system/lib64/libSecMMCodec.so (sbmpd_decode_rle_complete+64)
I/DEBUG ( 2961): #02 pc 0000000000033440 /system/lib64/libSecMMCodec.so (DecodeFile+120)
I/DEBUG ( 2961): #03 pc 000000000000c90c /system/lib64/libSecMMCodec.so (Java_com_sec_samsung_gallery_decoder_SecMMCodecInterface_nativeDecode+436)
I/DEBUG ( 2961): #04 pc 000000000042ec00 /system/priv-app/SecGallery2015/arm64/SecGallery2015.odex
To reproduce, download the file and open it in Gallery.
This issue was tested on a SM-G925V device running build number LRX22G.G925VVRU1AOE2.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38613.zipReferences
- http://packetstormsecurity.com/files/134950/Samsung-Galaxy-S6-Samsung-Gallery-Bitmap-Decoding-Crash.html
- http://www.securityfocus.com/bid/77429
- https://bugs.chromium.org/p/project-zero/issues/detail?id=497&redir=1
- https://googleprojectzero.blogspot.ie/2015/11/hack-galaxy-hunting-bugs-in-samsung.html
- https://www.exploit-db.com/exploits/38613/
- http://packetstormsecurity.com/files/134950/Samsung-Galaxy-S6-Samsung-Gallery-Bitmap-Decoding-Crash.html
- http://www.securityfocus.com/bid/77429
- https://bugs.chromium.org/p/project-zero/issues/detail?id=497&redir=1
- https://googleprojectzero.blogspot.ie/2015/11/hack-galaxy-hunting-bugs-in-samsung.html
- https://www.exploit-db.com/exploits/38613/
CWEs
CWE-284
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.