More like this

Security

Google flubs patch for Stagefright security bug in 950 million Androids

Update flawed, new one needed for countless gadgets

android logo

Google's security update to fix the Stagefright vulnerability in millions of Android smartphones is buggy – and a new patch is needed.

The Stagefright flaw is named after a component within the Android operating system that, among other things, processes incoming text messages that contain video clips. By sending a vulnerable Android device a specially crafted multimedia message, it is possible to inject and execute malicious code on that gadget. It affects Android 2.2 to 5.1, so about 950 million devices. Version 4.1 and later have defenses to limit some of the damage that can be done.

If you're a Nexus owner, the Stagefright security update should already be installed on your Android device. However, of the six patches in the bundle, one needs more work – meaning, patched devices are still potentially vulnerable to attack via Stagefright.

Researchers at Exodus Intelligence spotted a mistake in this particular source-code tweak, and crafted an MP4 video file to prove the patched Android library is still vulnerable. The Stagefright library crashes when trying to open that data in a multimedia message, and the team say the programming blunder is exploitable.

Exodus warned Google about it on August 7, and today published code showing how it's done because "Google is still distributing the faulty patch to Android devices via over-the-air updates." The vulnerability has been assigned CVE-2015-3864.

"There has been an inordinate amount of attention drawn to the bug – we believe we are likely not the only ones to have noticed it is flawed. Others may have malicious intentions," Exodus warned in a blog post.

"Google employs a tremendously large security staff, so much so that many members dedicate time to audit other vendor’s software and hold them accountable to provide a code fix within a deadline period. If Google cannot demonstrate the ability to successfully remedy a disclosed vulnerability affecting their own customers then what hope do the rest of us have?"

Where it went wrong

The problem lies in this code in the Stagefright library:

uint64_t chunk_size = ntohl(hdr[0]); 
int32_t chunk_type = ntohl(hdr[1]); 
off64_t data_offset = *offset + 8; 
if (chunk_size == 1) { 
   if (mDataSource->readAt(*offset + 8, &chunk_size, 8) < 8) {
      return ERROR_IO;
   }
   chunk_size = ntoh64(chunk_size);

The variable chunk_size is read from the video file's data, and if is equal to 1, its value is replaced by a 64-bit value again loaded from the video data. Later on, we reach this code. SIZE_MAX is a 32-bit value, 0xFFFFFFFF.

if (SIZE_MAX - chunk_size <= size) {
   return ERROR_MALFORMED;
}

If chunk_size, a 64-bit unsigned integer, is greater than SIZE_MAX, the check is bypassed. The value is then added to a size variable, truncated to a 32-bit integer, and used to read too much data into another buffer, triggering a fault and a crash.

Even if this can only be exploited as a denial-of-service attack on someone, Exodus wanted to make the point that Google should have spotted this basic integer overflow bug before releasing the patch.

Google engineers have worked out a fix for the borked patch and are busy pushing it out to Nexus devices. It has also been posted on the Android Open Source Project, and other handset vendors will bundle it in with their next security update.

"Currently over 90 per cent of Android devices have a technology called ASLR enabled, which protects users from this issue," a Google spokesperson told The Register, seemingly oblivious to the fact that ASLR can be bypassed by exploiting other bugs in the operating system.

"We've already sent the fix to our partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA update in the September monthly security update," the spokesgoogler added.

It's now up to other handset vendors to cover their users' asses, but so far there have been a lot of words and very little action. Motorola users here in Vulture West are still waiting for their original patch, and anecdotal evidence suggests other vendors are being just as tardy.

The monthly software updates for Android arranged by Google in light of the Stagefright bug release were lauded by many as a sensible idea. But whether handset vendors will live up to their promises remains to be seen. ®

Sponsored: HPC and HPDA for the Cognitive Journey with OpenPOWER