Joshua Drake, the researcher who found the so-called Stagefright vulnerability in Android, today released exploit code to the public, which he hopes will be used to test systems’ exposure to the flaw.
The move comes more than a month after vulnerability details were released in August during presentations at the Black Hat and DEF CON security conferences in Las Vegas. Since then, Google has released updates that block the most serious exploit vector where an attacker could take over an Android device merely by sending it a malicious MMS message.
Drake, vice president of platform research and exploitation at Zimperium zLabs, said in July the bug could affect more than 950 million Android devices. He chose not to publish exploit code at the time, giving Google time to push patches to the Android Open Source Project and subsequently to handset manufacturers and carriers. He originally planned to release exploit code on Aug. 24.
Google, meanwhile, wasted no time in changing the way it releases security updates for Android, announcing at Black Hat that it would send monthly over-the-air updates its Nexus phones. The move was mirrored by others, including Samsung and LG, and the first Nexus updates included patches for Stagefright. Silent Circle also patched its Blackphone and Mozilla patched Firefox, which uses Stagefright code in the browser.
Stagefright is the name of the media playback engine native to Android, and the vulnerabilities Drake discovered date back to version 2.2; devices older than Jelly Bean (4.2) are especially at risk since they lack exploit mitigations such as Address Space Layout Randomization (ASLR) that are present in newer versions of Android.
The problem is that Stagefright is an over-privileged application with system access on some devices, which enables privileges similar to apps with root access. Stagefright is used to process a number of common media formats, and it’s implemented in native C++ code, making it simpler to exploit.
“On some devices, [Stagefright] has access to the system group, which is right next to root—very close to root—so it should be easy to get root from system,” Drake told Threatpost in July. “And system runs a lot of stuff. You’d be able to monitor communication on the device and do nasty things.
“That process, you would think, would be sandboxed and locked down as much as it could because it’s processing dangerous, risky code, but it actually has access to the Internet. Android has a group enforcement where it allows [Stagefright] to connect to the Internet. This service is on all Android devices. I’d rather not have a service that’s doing risky processing have Internet access.”
An attacker can send a vulnerable device a specially crafted MMS or Google Hangouts message that exploits the flaw. The MMS does not have to be viewed or read, and can be deleted remotely by the attacker before the victim is aware the phone ever received it.
“Google released new versions of Hangouts and Messenger to block automatic processing of multimedia files arriving via MMS. We’ve tested these updated versions and are happy to confirm they prevent unassisted remote exploitation,” Zimperium said today in a blog post. “However, this attack vector constituted only the worst of more than 10 different ways potentially malicious media is processed by the Stagefright library. With these other vectors still present, the importance of fixing issues within the code base remains very high.”
Other researchers, meanwhile, found additional security issues using Stagefright as a starting point, including researcher from Exodus Intelligence that demonstrated one of the patches built and submitted by Drake was incomplete. Using the updated firmware on a Nexus 5 phone, Exodus’ Jordan Gruskovnjak developed an MP4 file that bypassed the patch.
“They failed to account for an integer discrepancy between 32- and 64 bit,” Exodus founder Aaron Portnoy told Threatpost. “They’re not accounting for specific integer types, and [Gruskovnjak] was able to bypass the patch with specific values that cause a heap buffer allocated to overflow.”
This bug has been patched in AOSP as have many of the other Stagefright issues, leading some to speculate that the next OTA update from Google could be one of biggest security fixes ever.
“The most positive thing about our Stagefright research is waking the ecosystem and forcing it to realize updates must distribute more timely. Industry leading vendors clearly stated that they intend to provide security updates on a monthly basis,” Zimperium said. “Now that we are facing additional vulnerabilities, we’ll see for ourselves if our devices get these updates or not. In the meantime, updates addressing the initial set of issues we disclosed continue to roll out to affected devices.”