two vulnerabilities impacts almost every Android
Following our discovery of vulnerabilities in the Stagefright library in April, Zimperium Mobile Threat Protection, zLabs VP of Research Joshua J. Drake continued researching media processing in Android. His continued research, which focused on remote attacks against current devices, led to the discovery of yet another security issue.
Meet Stagefright 2.0, a set of two vulnerabilities that manifest when processing specially crafted MP3 audio or MP4 video files. The first vulnerability (in libutils) impacts almost every Android device since version 1.0 released in 2008. We found methods to trigger that vulnerability in devices running version 5.0 and up using the second vulnerability (in libstagefright). Google assigned CVE-2015-6602 to vulnerability in libutils. We plan to share CVE information for the second vulnerability as soon as it is available.
What is the impact of this issue?
- Confirmed remote code execution (RCE) impact via libstagefright on Android 5.0 and later.
- Older devices may be impacted if the vulnerable function in libutils is used (using third party apps, vendor or carrier functionality pre-loaded to the phone).
What is the vulnerability ?
Processing specially crafted MP3 or MP4 files can lead to arbitrary code execution.
How the attack can be triggered ?
The vulnerability lies in the processing of metadata within the files, so merely previewing the song or video would trigger the issue. Since the primary attack vector of MMS has been removed in newer versions of Google’s Hangouts and Messenger apps, the likely attack vector would be via the Web browser.
- An attacker would try to convince an unsuspecting user to visit a URL pointing at an attacker controlled Web site (e.g., mobile spear-phishing or malicious ad campaign)
- An attacker on the same network could inject the exploit using common traffic interception techniques (MITM) to unencrypted network traffic destined for the browser.
- 3rd party apps (Media Players, Instant Messengers, etc.) that are using the vulnerable library.
How is Zimperium responding to these issues?
We notified the Android Security Team of this issue on August 15th. Per usual, they responded quickly and moved to remediate. They assigned CVE-2015-6602 to the libutils issue but have yet to provide us with a CVE number to track the second issue. We would like to thank Google for their cooperation for promptly including the fix in the upcoming Nexus Security Bulletin scheduled to be released next week.
Empowering end users and ZHA partners
At this point, we do not plan to share a proof-of-concept exploit for this new vulnerability with the general public. Once a patch is available, we will update our Stagefright Detector app to detect this vulnerability.
After reporting this vulnerability to Google we sent an update to our Zimperium Handset Alliance (ZHA) partners. We are planning to share proof-of-concept code with verified ZHA members later this month. We encourage vendors to update their Android devices to incorporate the fix as soon as possible.
Impacting the ecosystem
As more and more researchers have explored various vulnerabilities that exist within the Stagefright library and associated libraries, we expect to see more vulnerabilities in the same area. Many researchers in the community have said Google has replied to their reported bugs saying that they were duplicate or already discovered internally.
The research provided by Zimperium in this area has been a catalyst for change. Following our initial Stagefright announcement, industry-leading vendors made a clear statement that security updates will be provided on a monthly basis. So far, two monthly Nexus Security Bulletins have already posted. Next week will be the third.
Detecting attacks with z9
At the heart of all Zimperium technology is our z9 engine, which has been trained with the capability to detect media processing attacks through all attack vectors. No additional update is required to detect this new pair of vulnerabilities. We are diligently monitoring sources for in-the-wild attacks.