Tech

Google Android Stagefright flaw exploit code released

The researchers hope the release will assist vendors in testing devices for vulnerabilities -- and therefore improve patch rollouts.

Written by Charlie Osborne, Contributing Writer Sept. 10, 2015 at 5:40 a.m. PT

An exploit based on the Android Stagefright set of vulnerabilities has been released online.

Stagefright, a nasty collection of vulnerabilities generated through the Android libstagefright media library, is a world away from traditional malware, phishing attacks and viruses. Instead, inherent flaws in the mobile operating system have given rise to a number of critical vulnerabilities which allow hackers to take control of vulnerable, unpatched devices -- sometimes through nothing more than a text message.

Rolling out fixes for Stagefright issues has not been an easy journey for Google. Due to issues surrounding device patches being properly distributed to vendors and afterwards millions of users, a new monthly security patch rollout is being established for Android devices.

Nexus devices are the first to receive these updates, which will contain fixes based on vendor security bulletins.

Some of the fixes issued to combat Stagefright were only temporary measures to reduce levels of risk. For example, new versions of Google Hangouts and Messenger have been released which block the automatic acceptance of multimedia content sent via MMS -- which blocks one of the worst Stagefright attacks -- but not others.

The researcher who originally discovered Stagefright, Zimperium zLabs VP of Platform Research and Exploitation Joshua Drake, has held off releasing exploit code based on Stagefright due to the months it has taken for Google and vendors to issue patches and updates, but the code is now available for testing purposes.

The researcher's files include a Python script which generates an MP4 exploiting the 'stsc' vulnerability (CVE-2015-1538), one of the most critical issues relating to the Stagefright library.

The exploit that Stagefright can provide the avenue for remote code execution (RCE) without any kind of user action, according to the researchers. The result is a reverse shell as the media user -- granting an attacker access to content, as well as the ability to take pictures or listen to the microphone without betraying their presence -- and without the need to exploit additional vulnerabilities. The team said:

"We are pleased to finally make this code available to the general public so that security teams, administrators, and penetration testers alike may test whether or not systems remain vulnerable."

Featured

The exploit is not a generic exploit, having only been tested to work on a single model, a Google Nexus running Android 4.0.4. In addition, the exploit is not completely reliable due to "variances in heap layout," according to the researchers.

However, 100 percent reliability was achieved when an attack vector which allowed multiple intrusion attempts was utilized.

The vulnerability is one of several which is no longer usable with Android version 5, Lollipop, or later.

Naturally, the researchers encourage software vendors who have not yet provided device updates to address the risk of Stagefright do so as soon as possible. Now the exploit has been released into the wild, perhaps this will propel fixes forward in a more rapid fashion in order to keep users safe from attack.

There is also an app available, Stagefright Detector, which is able to scan devices to detect if there are unpatched libstagefright vulnerabilities. The team is currently working to include the app's detection capabilities directly into the Android's Compatibility Test Suite (CTS) -- a quality protection platform which makes sure all future Android-compatible devices must have resolved these issues before shipment.

In related news, this month's Patch Tuesday fixed five critical issues within Microsoft products. In total, 56 separate vulnerabilities were addressed, affecting software including the Windows operating system, Microsoft Office and the new Microsoft Edge browser.