Google Shuts Down Potentially Massive Android Bug

Google patched another critical vulnerability that affects potentially every Android device that is exploitable just with a specially crafted jpeg file.

The Android ecosystem may have dodged another Stagefright-type of vulnerability.

Google’s monthly Android Security Bulletin released on Tuesday not only patched the remaining Quadrooter vulnerabilities, but also fixed another wide-ranging flaw that could allow an attacker to easily compromise—or at least brick—any Android device dating back to version 4.2.

The key to staving off another Stagefright is that yesterday’s patch features a complete overhaul of the offending jhead library, mitigating the possibility of recurring critical bugs, which, for example, continue to plague Mediaserver on an almost-monthly basis.

Tim Strazzere, director of mobile research at SentinelOne, found the vulnerability (CVE-2016-3862) and that that it would require just a specially crafted jpeg file in order to exploit the issue. Strazzere, admittedly not a proficient exploit writer, said he was able to cause his brand new Nexus 6P device to crash and reboot, and added that the bug could also likely be used by an advanced attacker to gain remote code execution on an Android device. This is especially true on older versions of Android where there are fewer exploit mitigations built into the operating system.

“This bug I found specifically is in a library that tries to read Exif data out of jpegs,” Strazzere said. “Any app using that library is affected by this.”

Exif is a standard that defines formats for metadata in images recorded by digital cameras.

Strazzere tested his proof of concept exploit over Gmail and Gchat. He said no user interaction is required to trigger the bug, just that the application calling jhead parses image data from jpeg files. He said this could extend to a multitude of web-based apps including social media apps where a malicious jpeg file loaded as a profile avatar, for example, could, at a minimum, crash Android devices.

“I tested it with Gchat and Gmail, and if I send you a file, because the phone syncs and gets the email, that triggers the bug,” Strazzere said. “You don’t have to click on the image or touch the attachment. Just open email, and that would trigger the bug.

“To an advanced attacker, this was relatively easy to find and in their wheelhouse to exploit,” Strazzere said. “You would have access to anything that app had access to, or leverage another exploit to get system privileges or root.”

The jhead library is used to obtain and use data in the Exif header in jpeg images, such as timestamp information, camera data and thumbnails. In Android, Mediaserver is one component that talks to the jhead library, and Google rated it yesterday a critical vulnerability because of the potential for remote code execution.

Google addressed the issue, Strazzere said, by removing support for the jhead library as it’s currently written.

“Google did a great job with its response and the way it’s fixing this by removing all the C code. The library is now gone, and they’re rewriting it in Java,” Strazzere said, adding that there were additional bugs and vulnerabilities in jhead that would have bubbled to the surface. “It’s unlikely that new bugs will come out of what was fixed because they’ve replaced it with a safer language. They took out all of the old functionality they were using and rewrote all of that in Java code.

“I think we’re still going to see some bugs, but they will not be critical severity. This was definitely the correct way to fix this.”

Google’s Android Rewards program awarded Strazzere a $4,000 bounty, which Google doubled because Strazzere and SentinelOne donated the reward to Girls Garage in the Bay Area, a skills-building program for girls aged 9-13.

Suggested articles

Discussion

  • ALAN COVELL on

    Today, Chase Bank Customers got an SMS from the Dominican Republic, tellingt one and all to go to a certain URL rot do an account reset. This looks like the foundation of an XSRF attack. Haven't heard since I phoned it in, but not he fact that they hit a large number of Chase Customers at once, both on Chase premises Andy off, indicates that somebody might have leaked a Chase Customer phone list. Smells like "Breach" spirit.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.