This week’s Android Security Bulletin patched a calamity of vulnerabilities that threatened almost every device in circulation and illustrated the fragility of the Android ecosystem.
The bulletin addressed more than 50 vulnerabilities, including nine rated critical by Google because of the possibility of remote code execution. Off the top, Google fixed the two remaining unpatched Quadrooter vulnerabilities in Qualcomm chips, as well as a critical bug in the jhead library that could exploited by a single specially crafted jpeg file.
Google’s internal research team, Project Zero, followed suit and on Wednesday and disclosed details of a critical flaw in Libutils that was patched this week. The bug harkens back to the second set of Stagefright bugs disclosed last October, and it too can impact most Android devices in use today, though it’s admittedly difficult to exploit. Like the Stagefright bugs and the Mediaserver component in Android, any application that calls Libutils is at risk.
“This is similar to the Stagefright 2.0 vulnerability where it’s in a core library and there are a lot of different attack vectors,” said Joshua Drake, vice president of platform research and exploitation at Zimperium Labs. “This one goes through libstagefright. It’s not a Stagefright bug, but an attack vector is through libstagefright.”
Google researcher Mark Brand published a lengthy technical description of the flaw and a proof-of-concept exploit centered on Mediaserver. Other applications likely in the line of fire include system_server, drmserver, keystore and surfaceflinger on Android.
“Basically, any application that uses the library is vulnerable. It is unknown just how many applications and services use this library,” said Duo Labs director of security research Steve Manzuik. “But in the proof of concept, Mediaserver is used to demonstrate the bug which of course was also the target of Stagefright exploits. It appears that exploitation (against unpatched devices of course) is moderately hard, on modern Android versions you have to bypass ASLR.”
Brand’s report says the vulnerable code in Libutils lies in the conversion between UTF-16 and UTF-8. UTF-16 is the 16-bit Unicode transformation format that encodes all possible Unicode characters.
“It’s an extremely serious bug, since the vulnerable code path is accessible from many different attack vectors, and it can be leveraged both for remote code execution and for local privilege elevation into the highly privileged system_server SE Linux domain,” Brand said.
Brand said he discovered a hiccup in Libutils and UTF-16 that allows him to control the size of a buffer allocation and overflow.
Mediaserver, meanwhile, he said, was the perfect attack vector for a remote exploit, where Unicode conversions are handled in the processing of ID3 tags. ID3 tags are used in MP3s, for example, to describe the contents of an audio files such as song titles, the artist’s name and other metadata.
“Using the Stagefright library, you can reach this bug through ID3 parsing,” Drake said. “Stagefright uses Unicode, which has the bug in it.”
Brand said previous work done in understanding and exploiting Stagefright helped him in producing a proof-of-concept that would create a crash. Bypassing ASLR and other mitigations—in particular in Android-N—were a bigger challenge, he said.
“A lot of general hardening work has gone into N, and the results are impressive. That’s not to say that exploiting this bug was impossible on N – but a full chain would be significantly more complex,” Brand said.
While the initial Stagefright research spurred researchers to dig deeply into Mediaserver—for months, the Android Security Bulletin has included critical remote code execution flaws in Mediasever—Drake thinks Libutils’ smaller code base will preclude another rush of bug reports.
“I think there’s a lot of code in Android that was not getting a lot of eyes on it that is now getting more, and as that continues to happen and the Android Rewards Program grows, you’re going to see critical issues being reported for the foreseeable future,” Drake said.