Google today released to open source a new patch for the infamous Stagefright vulnerability found in 950 million Android devices after researchers at Exodus Intelligence discovered the original patch was incomplete and Android devices remain exposed to attack.
“We’ve already sent the fix to our partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA update in the September monthly security update,” a Google spokesperson told Threatpost. Last week at Black Hat, Google announced that it would begin monthly OTA security updates for Nexus, and that Samsung and LG also committed to providing carriers with regular updates.
The original four-line code fix for CVE-2015-3824, one of several patches submitted by researcher Joshua Drake of Zimperium Mobile Security’s zLabs who discovered the flaw in Stagefright, still leads to a crash and device takeover. Jordan Gruskovnjak, a security researcher at Exodus, found the problem with the patch, and Exodus founder Aaron Portnoy today hinted that there could be similar problems in all the patches.
“According to public sources, many more issues have been discovered since I reported the bugs in the MPEG4 processing. I expect we will see continuing fixes to the Stagefright code base for the coming months,” Drake said in an email to Threatpost. “The story is long from over.”
Portnoy said his company notified Google on Aug. 7, the first day of DEF CON in Las Vegas and two days after Drake’s Stagefright presentation at the Black Hat conference. Google has assigned CVE-2015-3864 to the issue.
Google, in the meantime, patched internal Android code branches and as of yesterday continued to push the faulty patches in over-the-air updates to handset makers and carriers. Last Tuesday, Google updated its Nexus mobile phones, versions 4-10, along with the Nexus Player. Silent Circle and Mozilla were among the first vendors to patch their code as well, distributing it to the Blackphone and Firefox browser respectively; Mozilla uses Stagefright in its browser.
In addition to Nexus devices, Google said it sent the original patches to other mobile providers, including: Samsung for its Galaxy and Note devices; HTC for the HTC One; LG for the G2, G3 and G4; Sony for its Xperia devices; and Android One.
The vulnerabilities affect Android devices going back to version 2.2; newer versions of Android have built-in mitigations such as ASLR that lessen the effects of Stagefright exploits. Google said last week that 90 percent of Android devices have ASLR enabled, and that the next release of its Messenger SMS app also contains a mitigation requiring users to click on videos in order to play them, rendering one attack vector discovered by Zimperium’s Drake moot.
A report released today by Exodus Intelligence said that Gruskovnjak had doubts about the completeness of the patch on July 31, but was not able to verify the fix since one had not yet been distributed. Once Gruskovnjak had the updated firmware on a Nexus 5 phone, he developed an MP4 file—the simplest attack vector, Drake said, involved sending a vulnerable device a crafted MMS message that would exploit the vulnerability—that bypassed the patch.
“They failed to account for an integer discrepancy between 32- and 64 bit,” Portnoy told Threatpost this morning. “They’re not accounting for specific integer types, and [Gruskovnjak] was able to bypass the patch with specific values that cause a heap buffer allocated to overflow.”
The vulnerability was widely publicized by Zimperium before and during Black Hat, not to mention that Google has had the original bug report since April, yet neither party noticed the discrepancy in the patch. Portnoy said Exodus submitted a fix of its own.
“Everyone tried coordinated disclosure going back to April, and that did not work so well,” Portnoy said, adding that he messaged Drake this morning about the issue. “The thing is, there have been so many eyes on that code, and by hyping it the way they did, malicious people have likely been looking as well, and maybe using it for malicious purposes.
“This is the same vulnerability, just with different values you can still corrupt memory the same way as the last time,” Portnoy said. “It’s just as severe as the first day it was dropped.”
Drake, vice president of platform research and exploitation at Zimperium zLabs, told Threatpost last month that exploits could be particularly insidious given the fact that an attacker need only use a malicious MMS message—or Google Hangouts message—that could trigger the vulnerability without user interaction, and delete the message before the victim is aware. All an attacker would need, Drake said, is the device’s phone number.
Stagefright on Android devices is over-privileged, and granted system access on some devices; it processes most common media formats and because it’s implemented in C++, it’s much simpler to exploit.
“On some devices, [Stagefright] has access to the system group, which is right next to root—very close to root—so it should be easy to get root from system,” Drake said. “And system runs a lot of stuff. You’d be able to monitor communication on the device and do nasty things.
“That process, you would think, would be sandboxed and locked down as much as it could because it’s processing dangerous, risky code, but it actually has access to the Internet. Android has a group enforcement where it allows [Stagefright] to connect to the Internet. This service is on all Android devices. I’d rather not have a service that’s doing risky processing have Internet access.”