'Millions' of Android mobes vulnerable to new Stagefright exploit
Paper lays out how to bypass Google's ASLR
A group of Israeli researchers reckon they've cracked the challenge of crafting a reliable exploit for the Stagefright vulnerability that emerged in Android last year.
In a paper [PDF] that's a cookbook on how to build the exploit for yourself, they suggest millions of unpatched Android devices are vulnerable to their design, which bypasses Android's security defenses. Visiting a hacker's webpage is enough to trigger a system compromise, we're told.
Since no hot piece of infosec action exists without a name these days, the paper, written by Hanan Be’er of North-Bit, dubs the implementation of the Stagefright exploit “Metaphor.”
Stagefright is the name of a software library used by Android to parse videos and other media; it can be exploited by a booby-trapped message or webpage to execute malicious code on vulnerable devices.
While North-Bit reckons its exploit design is reliable, you'll have to, as described above, do some server-side work to deploy Metaphor.
The exploit also needs a perform a heap spray to work, and that means the attacker may need to attempt exploitation multiple times on the target.
However, North-Bit says that with “further research it may be possible to lay aside all or some of the lookup tables” used to generate custom malicious video files – and that would lay the groundwork for a generic exploit.
The exploit specifically attacks the CVE-2015-3864 bug in a “fast, reliable and stealthy” way that bypasses ASLR – aka address space layout randomization, a mechanism that thwarts a lot of exploit writers.
It's also important to note that the victim doesn't have to press play on a rigged MPEG4 video file, because the bug is triggered when the web browser simply fetches and parses the file upon first seeing it.
"It was claimed [the bug] was impractical to exploit in the wild, mainly due to the implementation of exploit mitigations in newer Android versions, specifically ASLR," the paper states.
"The team here at North-Bit has built a working exploit affecting Android versions 2.2 to 4.0 and 5.0 to 5.1, while bypassing ASLR on versions 5.0 to 5.1 (as Android versions 2.2 to 4.0 do not implement ASLR)."
Google released security patches to kill Stagefright's vulnerabilities, although not every Android phone and tablet can receive and install them: some manufacturers and network carriers were in no rush to update older models, leaving potentially millions of gadgets at the mercy of exploits like the one built by North-Bit.
There's a vid demonstrating North-Bit's proof-of-concept exploit below. ®
Updated to add
A Google spokesman has been in touch to say: "Android devices with a security patch level of October 1, 2015 or greater are protected because of a fix we released for this issue (CVE-2015-3864) last year. As always, we appreciate the security community's research efforts as they help further secure the Android ecosystem for everyone."