When researcher Joshua Drake published details in August about critical Android vulnerabilities in the Stagefright media playback engine, he promised there would be more issues that he and others would find and report to Google’s Android security team.
Today, Drake, vice president of platform research and exploitation at Zimperium, disclosed two more flaws in Stagefright, one that dates back to the first version of Android, and a second dependent vulnerability that was introduced in Android 5.0. The bugs affect more than one billion Android devices, essentially all of them in circulation.
While the first Stagefright flaw was patched in short order by Google and deployed by carriers and handset makers, updates for these two vulnerabilities are not yet available to the general public. A Google spokesperson told Threatpost today that the patches were provided to partners on Sept. 10. The patches will be rolled out to Nexus users and included in the next monthly Android security update scheduled for Oct. 5. The patches were also, inadvertently, pushed to the Android Open Source Project (ASOP), said Zuk Avraham, chairman and founder of Zimperium.
The risks with these vulnerabilities, dubbed Stagefright 2.0, are nearly identical to the original Stagefright flaws; the only difference is that the attack vector for the first bugs has been patched. Successful exploits would enable remote code execution and lead to privilege escalation, putting an attacker in control over a compromised device. They would have access to personal data and photos stored on the phone, be able to take photos, record conversations, exfiltrate email and SMS/MMS messages and load additional apps.
“It’s as dangerous as Stagefright 1.0,” said Avraham, who added that Zimperium is not aware of public exploits of these issues. But given that one of the bugs has been in Android since the very beginning, it’s likely they could have been used in an attack.
Stagefright 1.0, however, was exploited via a specially crafted MMS message which were at the time automatically processed by Stagefright. Google’s patch means Stagefright no longer does so, especially in new versions of Google’s Messenger and Hangouts apps. With Stagefright 2.0, Avraham said the most logical attack vector would be the mobile browser where an attacker tricks the victim via phishing or malvertising to visit a URL hosting the exploit. An attacker could also inject the exploit via a man-in-the-middle attack, or host a malicious third-party app that uses the vulnerable library.
Like the first set of attacks, Stagefright 2.0 exploits are a way onto the phone. Stagefright is granted some system-level privileges, giving the attacker the opportunity to elevate their privileges with additional attacks in order to control the device.
“It’s a library that was written very badly,” Avraham said of Stagefright. “The library itself is pretty vulnerable; it has a lot of code mistakes. The media processing is not as safe as it should be.”
One of the vulnerabilities has been assigned CVE-2015-6602 and was found in a core Android library called libutils; it has been in the Android OS since it was first released and before there were even Android mobile devices. The second vulnerability was introduced into libstagefright in Android 5.0; it calls into libutils in a vulnerable way, Avraham said. An attacker would use a specially crafted MP3 or MP4 file in this case to exploit the vulnerabilities.
The libutils vulnerability is critical because it could extend into many areas of Android.
“Determining all possible ways that a core library component has been used across the Android ecosystem is an insurmountable task,” said a FAQ published by Zimperium. “Every piece of code that uses the vulnerable library needs to be inspected to see if it calls APIs within libutils in a vulnerable way. Then, each potentially vulnerable use would need to be inspected and analyzed individually.”
The libstagefright issue affects apps that utilize Android’s multimedia APIs, which call into the library.
“In each case, the vulnerable code runs inside mediaserver,” Zimperium said.
Stagefright 1.0 was disclosed during presentations given by Drake at Black Hat and DEF CON in August. The original exploits were particularly worrisome given that an attacker need only know the victim’s phone number in order send a crafted MMS message to a phone to trigger the vulnerability without user interaction; an attacker could also delete the MMS before the victim was it aware it was sent.
Stagefright is an over-privileged application with system access on some devices, which enables privileges similar to apps with root access. Stagefright is used to process a number of common media formats, and it’s implemented in native C++ code, making it simpler to exploit.
“On some devices, [Stagefright] has access to the system group, which is right next to root—very close to root—so it should be easy to get root from system,” Drake told Threatpost in July. “And system runs a lot of stuff. You’d be able to monitor communication on the device and do nasty things.
“That process, you would think, would be sandboxed and locked down as much as it could because it’s processing dangerous, risky code, but it actually has access to the Internet,” Drake said. “Android has a group enforcement where it allows [Stagefright] to connect to the Internet. This service is on all Android devices. I’d rather not have a service that’s doing risky processing have Internet access.”