New Stagefright Exploit Takes a Bow
Stagefright, a multimedia library in Android 2.2 and higher, has been exploited again, according to news reports published last week.
Details of the latest exploit, named "Metaphor," were published earlier this month in a paper from NorthBit.
Metaphor affects Android 2.2-4.0 and 5.0-5.1.
That works out to about 30 percent of all Android devices, according to Statista.
It bypasses address space layout randomization, or ASLR, which Google had introduced as a security measure.
"The original Stagefright vulnerability disclosures showed us that yes, there are issues with this library," observed Andrew Blaich, lead security analyst at Bluebox Security.
"Metaphor confirms this problem is real and is using the disclosed vulnerabilities and research to produce a real attack that affects Android users," he told LinuxInsider.
What Metaphor Does
Metaphor essentially involves parsing the tx3g atom in MPEG-4 files, which are used to embed subtitles into media.
It basically creates a heap overflow and controls the heap size -- how much to write into the buffer -- and data -- what to write. It predicts where its object will be allocated by carefully shaping the heap.
It consists of the following modules:
- Crash, which generates a small and generic media file, crashes mediaserver to reset its state, and checks the presence of the vulnerability when automating tests and building lookup tables;
- RCE, which generates a device-customized media file executing shellcode in mediaserver and receives the runtime ASLR slide as parameter and translates gadget offsets to absolute addresses;
- Leak, which generates a device-customized media file to leak memory from the mediaserver process.
However, Leak isn't supported on Chrome before version 19 and doesn't work on Samsung's SBrowser, although NorthBit hasn't figured out why.
Further, Metaphor requires the attacker to have some prior knowledge about the victim's device, NorthBit said.
Building a universal exploit requires creating lookup tables for each ROM, and it may still be necessary to elevate privileges of the mediaserver process as different vendors give mediaserver and its groups different permissions.
Still, having to build lookup tables for each ROM is a small hurdle toward achieving mainstream malware capacity, noted Jason Haddix, director of technical operations at Bugcrowd.
How Many Are at Risk?
Some 235 million people are at risk, he told LinuxInsider.
Those "are estimates based on device sales and should be taken with a grain of salt," Haddix said, but "a very large percentage of people are subject to this attack. With remote exploitation possible and a way to bypass the strongest security -- ASLR in this case -- it is a very big deal."
On the other hand, ASLR "does not have as much randomness as most folks would like, which makes it a low hurdle for attackers to get past," Bluebox Security's Blaich pointed out.
Android devices patched in October or later are protected because of the fix Google issued, a Google spokesperson told LinuxInsider in a statement provided by the company's Aaron Stein.
That was for the first flaw -- CVE-2015-3864 -- and it had to be reworked because it didn't function as intended.
"Google continues to audit and patch Stagefright and its related libraries each month with their monthly security updates," Blaich pointed out. "However, the vast majority of Android devices remain unpatched to these fixes."
Carriers and device manufacturers delay the release of a patch considerably because they test the patches before releasing them to consumers.
Even if Google replaces or overhauls Stagefright, Haddix remarked, "it's hard to force device manufacturers to force upgrades for all but the newest phones."