Google has patched a vulnerability being exploited in the wild to root Nexus 5 Android devices.
The public exploit—a rooting application—was privately disclosed to Google on March 15 by Zimperium researchers, and a less than a month after CORE Team researchers reported that CVE-2015-1805, which was patched in 2014 in the Linux kernel, also affects Android devices.
The patch is part of today’s monthly Android patch release. The Android Nexus Security Bulletin patches 15 vulnerabilities rated critical by Google in eight Android components, including Mediaserver and libstagefright.
The elevation of privilege bug exploited by the rooting application is the lone kernel-level flaw patched this month and it affects Nexus versions 4.4.4, 5.0.2, 5.1.1, 6.0 and 6.0.1. Google warned last month that exploits could lead to permanent device compromise.
Rooting applications are particularly dangerous because they give their respective payloads system-level persistence. Zimperium founder and CTO Zuk Avraham told Threatpost the vulnerability could be chained with other exploits to gain deeper penetration onto a device.
“It allows for consistent elevation of privilege, so anyone with malicious intentions with code execution already on a device and wants higher code execution, could use it to get access to the microphone or camera, or read email, anything like that,” Avraham said. “But you do need an initial code execution vulnerability or a presence on the device like an app for example. Then you can use this exploit, which is quite generic, and gain kernel privileges on the device.”
As is becoming customary, the monthly Nexus security bulletins include fixes for critical Mediaserver and libstagefright vulnerabilities. Since the Stagefright flaws and exploits disclosed last summer during the Black Hat conference, researchers are taking a close look at this core and privileged component of Android. Attackers can exploit these bugs using malicious media files to gain kernel access.
“It’s old code that’s been there for a long time and it didn’t go through as intense security testing as other pieces of Android,” Zimperium’s Avraham said. “For some researchers, it doesn’t take much time to discover Stagefright vulnerabilities. If you have a device that’s a few months old and want to target them with [malicious] MP4 files, it’s relatively easy to find a vulnerability there. Every time you have a Stagefright bug and a kernel bug, an attacker can chain both and it’s game over.”
Today’s bulletin patches seven remote code execution bugs in Mediaserver, and one more in libstagefright. The update addresses memory corruption issues in both components.
“Stagefright gives an attacker initial code execution,” Avraham said. “You can send a link and trick the victim into opening it, or get man-in-the-middle and inject an iframe that shows the video, and once loaded—without interaction—the attacker gets initial code execution. To fully hack the device, chain it with a kernel exploit and at that point, you fully control the device.”
Also patched today, three critical flaws in DHCPCD that open the door to remote code execution in the context of the DHCP client. The DHCP service, Google said, has privileges that third party applications would not.
Google also patched a critical flaw in the Media Codec used by Mediaserver, which could be exploited by a crafted file to gain remote code execution.
Two Qualcomm components, the Qualcomm Performance Module and Qualcomm RF, were patched against elevation of privilege flaws. Both vulnerabilities could be exploited by malicious apps to execute code within the kernel.
The final critical vulnerability was patched in the common kernel and could also be exploited by a malicious app to gain remote code execution and permanent device compromise.
Google also today patched 16 vulnerabilities it rates a “high” severity, and eight others rated “moderate.”
