Stagefright (bug)

Last updated

Stagefright
Stagefright bug logo.png
Logo of the Stagefright library bug
CVE identifier(s) CVE- 2015-1538,CVE-2015-1539,CVE-2015-3824,CVE-2015-3826,CVE-2015-3827,CVE-2015-3828,CVE-2015-3829,CVE-2015-3864 (Stagefright 1.0),
CVE- 2015-6602 (Stagefright 2.0)
Date discovered27 July 2015;8 years ago (2015-07-27)
Date patched3 August 2015;8 years ago (2015-08-03)
DiscovererJoshua Drake (Zimperium)
Affected software Android 2.2 "Froyo" and later (Stagefright 1.0),
Android 1.5 "Cupcake" to Android 5.1 "Lollipop" (Stagefright 2.0)

Stagefright is the name given to a group of software bugs that affect versions from 2.2 "Froyo" up until 5.1.1 "Lollipop" [1] of the Android operating system exposing an estimated 950 million devices (95% of all Android devices) at the time. [1] The name is taken from the affected library, which among other things, is used to unpack MMS messages. [2] Exploitation of the bug allows an attacker to perform arbitrary operations on the victim's device through remote code execution and privilege escalation. [3] Security researchers demonstrate the bugs with a proof of concept that sends specially crafted MMS messages to the victim device and in most cases requires no end-user actions upon message reception to succeed—the user doesn't have to do anything to 'accept' exploits using the bug; it happens in the background. A phone number is the only information needed to carry out the attack. [4] [5] [6] [1]

Contents

The underlying attack vector exploits certain integer overflow vulnerabilities in the Android core component called libstagefright, [7] [8] [9] which is a complex software library implemented primarily in C++ as part of the Android Open Source Project (AOSP) and used as a backend engine for playing various multimedia formats such as MP4 files. [1] [10]

The discovered bugs have been provided with multiple Common Vulnerabilities and Exposures (CVE) identifiers, CVE - 2015-1538 ,CVE- 2015-1539 ,CVE- 2015-3824 ,CVE- 2015-3826 ,CVE- 2015-3827 ,CVE- 2015-3828 ,CVE- 2015-3829 andCVE- 2015-3864 (the latter one has been assigned separately from the others), which are collectively referred to as the Stagefright bug. [11] [12] [13]

In order to exploit the vulnerability one doesn't specifically need an MMS message [14] (which was just an example of using the vulnr for RCE), but any other processing of the specifically crafted media by the vulnerable component is enough, that can be done via the most of applications having to deal with media files but not using own-bundled (which increases size of an app and imposes additional unjustified costs on its developer) pure software (which is slow and not energy efficient) media codecs for that, such as media players/galleries, web browsers (can cause drive-by compromise) and file managers showing thumbnails (can be used for achieving persistence).

History

The Stagefright bug was discovered by Joshua Drake from the Zimperium security firm, and was publicly announced for the first time on July 27, 2015. Prior to the announcement, Drake reported the bug to Google in April 2015, which incorporated a related bugfix into its internal source code repositories two days after the report. [4] [5] [6] [1] In July 2015, Evgeny Legerov, a Moscow-based security researcher, announced that he had found at least two similar heap overflow zero-day vulnerabilities in the Stagefright library, claiming at the same time that the library has been already exploited for a while. Legerov also confirmed that the vulnerabilities he discovered become unexploitable by applying the patches Drake submitted to Google. [3] [15]

The public full disclosure of the Stagefright bug, presented by Drake, took place on August 5, 2015 at the Black Hat USA [16] computer security conference, and on August 7, 2015 at the DEF CON  23 [17] hacker convention. [1] Following the disclosure, on August 5, 2015, Zimperium publicly released the source code of a proof-of-concept exploit, actual patches for the Stagefright library (although the patches were already publicly available since early May 2015 in the AOSP and other open-source repositories [18] [19] ), and an Android application called "Stagefright detector" that tests whether an Android device is vulnerable to the Stagefright bug. [12] [20]

On August 13, 2015, another Stagefright vulnerability, CVE - 2015-3864, was published by Exodus Intelligence. [13] This vulnerability was not mitigated by existing fixes of already known vulnerabilities. CyanogenMod team published a notice that patches for CVE-2015-3864 have been incorporated in CyanogenMod 12.1 source on August 13, 2015. [21]

On October 1, 2015, Zimperium released details of further vulnerabilities, also known as Stagefright 2.0. This vulnerability affects specially crafted MP3 and MP4 files that execute their payload when played using the Android Media server. The vulnerability has been assigned identifier CVE - 2015-6602 and was found in a core Android library called libutils; a component of Android that has existed since Android was first released. Android 1.5 through 5.1 are vulnerable to this new attack and it is estimated that one billion devices are affected. [22]

Implications

While Google maintains the Android's primary codebase and firmware, updates for various Android devices are the responsibility of wireless carriers and original equipment manufacturers (OEMs). As a result, propagating patches to the actual devices often introduces long delays due to a large fragmentation between the manufacturers, device variants, Android versions, and various Android customizations performed by the manufacturers; [23] [24] furthermore, many older or lower cost devices may never receive patched firmware at all. [25] Many of the unmaintained devices would need to be rooted, which violates the terms of many wireless contracts. Therefore, the nature of Stagefright bug highlights the technical and organizational difficulties associated with the propagation of Android patches. [5] [26]

As an attempt to address the delays and issues associated with the propagation of Android patches, on August 1, 2015 Zimperium formed the Zimperium Handset Alliance (ZHA) as an association of different parties interested in exchanging information and receiving timely updates on Android's security-related issues. Members of the ZHA also received source code of the Zimperium's proof-of-concept Stagefright exploit before it was publicly released. As of August 6,2015, 25 of the largest Android device OEMs and wireless carriers have joined the ZHA. [12] [18] [27]

Mitigation

Certain mitigations of the Stagefright bug exist for devices that run unpatched versions of Android, including disabling the automatic retrieval of MMS messages and blocking the reception of text messages from unknown senders. However, these two mitigations are not supported in all MMS applications (the Google Hangouts app, for example, only supports the former), [3] [5] and they do not cover all feasible attack vectors that make exploitation of the Stagefright bug possible by other means, such as by opening or downloading a malicious multimedia file using the device's web browser. [7] [28]

At first it was thought that further mitigation could come from the address space layout randomization (ASLR) feature that was introduced in Android 4.0 "Ice Cream Sandwich", fully enabled in Android 4.1 "Jelly Bean"; [7] [29] The version of Android 5.1 "Lollipop" includes patches against the Stagefright bug. [11] [30] Unfortunately, later results and exploits like Metaphor that bypass ASLR were discovered in 2016.

As of Android 10, software codecs were moved to a sandbox which effectively mitigates this threat for devices capable of running this version of the OS. [7] [31]

See also

Related Research Articles

The Pwnie Awards recognize both excellence and incompetence in the field of information security. Winners are selected by a committee of security industry professionals from nominations collected from the information security community. Nominees are announced yearly at Summercon, and the awards themselves are presented at the Black Hat Security Conference.

Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference. First held in April 2007 in Vancouver, the contest is now held twice a year, most recently in March 2024. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Winners of the contest receive the device that they exploited and a cash prize. The Pwn2Own contest serves to demonstrate the vulnerability of devices and software in widespread use while also providing a checkpoint on the progress made in security since the previous year.

Zimperium, Inc. is a privately owned mobile security company based in the United States and headquartered in Dallas, Texas. Zimperium provides a mobile security platform purpose-built for enterprise environments.

<span class="mw-page-title-main">Heartbleed</span> Security bug in OpenSSL

Heartbleed is a security bug in some outdated versions of the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed could be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It resulted from improper input validation in the implementation of the TLS heartbeat extension. Thus, the bug's name derived from heartbeat. The vulnerability was classified as a buffer over-read, a situation where more data can be read than should be allowed.

<span class="mw-page-title-main">Shellshock (software bug)</span> Security bug in the Unix Bash shell discovered in 2014

Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests.

FREAK is a security exploit of a cryptographic weakness in the SSL/TLS protocols introduced decades earlier for compliance with U.S. cryptography export regulations. These involved limiting exportable software to use only public key pairs with RSA moduli of 512 bits or fewer, with the intention of allowing them to be broken easily by the National Security Agency (NSA), but not by other organizations with lesser computing resources. However, by the early 2010s, increases in computing power meant that they could be broken by anyone with access to relatively modest computing resources using the well-known Number Field Sieve algorithm, using as little as $100 of cloud computing services. Combined with the ability of a man-in-the-middle attack to manipulate the initial cipher suite negotiation between the endpoints in the connection and the fact that the finished hash only depended on the master secret, this meant that a man-in-the-middle attack with only a modest amount of computation could break the security of any website that allowed the use of 512-bit export-grade keys. While the exploit was only discovered in 2015, its underlying vulnerabilities had been present for many years, dating back to the 1990s.

Row hammer is a security exploit that takes advantage of an unintended and undesirable side effect in dynamic random-access memory (DRAM) in which memory cells interact electrically between themselves by leaking their charges, possibly changing the contents of nearby memory rows that were not addressed in the original memory access. This circumvention of the isolation between DRAM memory cells results from the high cell density in modern DRAM, and can be triggered by specially crafted memory access patterns that rapidly activate the same memory rows numerous times.

JASBUG is a security bug disclosed in February 2015 and affecting core components of the Microsoft Windows Operating System. The vulnerability dated back to 2000 and affected all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

Custom firmware, also known as aftermarket firmware, is an unofficial new or modified version of firmware created by third parties on devices such as video game consoles, mobile phones, and various embedded device types to provide new features or to unlock hidden functionality. In the video game console community, the term is often written as custom firmware or simply CFW, referring to an altered version of the original system software inside a video game console such as the PlayStation Portable, PlayStation 3, PlayStation Vita/PlayStation TV, PlayStation 4, Nintendo 3DS and Nintendo Switch. Installing custom firmware on some devices requires bootloader unlocking.

<span class="mw-page-title-main">Dirty COW</span> Computer security vulnerability

Dirty COW is a computer security vulnerability of the Linux kernel that affected all Linux-based operating systems, including Android devices, that used older versions of the Linux kernel created before 2018. It is a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel's memory-management subsystem. Computers and devices that still use the older kernels remain vulnerable.

<span class="mw-page-title-main">KRACK</span> Attack on the Wi-Fi Protected Access protocol

KRACK is a replay attack on the Wi-Fi Protected Access protocol that secures Wi-Fi connections. It was discovered in 2016 by the Belgian researchers Mathy Vanhoef and Frank Piessens of the University of Leuven. Vanhoef's research group published details of the attack in October 2017. By repeatedly resetting the nonce transmitted in the third step of the WPA2 handshake, an attacker can gradually match encrypted packets seen before and learn the full keychain used to encrypt the traffic.

<span class="mw-page-title-main">Meltdown (security vulnerability)</span> Microprocessor security vulnerability

Meltdown is one of the two original transient execution CPU vulnerabilities. Meltdown affects Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors. It allows a rogue process to read all memory, even when it is not authorized to do so.

<span class="mw-page-title-main">Spectre (security vulnerability)</span> Processor security vulnerability

Spectre is one of the two original transient execution CPU vulnerabilities, which involve microarchitectural timing side-channel attacks. These affect modern microprocessors that perform branch prediction and other forms of speculation. On most processors, the speculative execution resulting from a branch misprediction may leave observable side effects that may reveal private data to attackers. For example, if the pattern of memory accesses performed by such speculative execution depends on private data, the resulting state of the data cache constitutes a side channel through which an attacker may be able to extract information about the private data using a timing attack.

BlueBorne is a type of security vulnerability with Bluetooth implementations in Android, iOS, Linux and Windows. It affects many electronic devices such as laptops, smart cars, smartphones and wearable gadgets. One example is CVE-2017-14315. The vulnerabilities were first reported by Armis, the asset intelligence cybersecurity company, on 12 September 2017. According to Armis, "The BlueBorne attack vector can potentially affect all devices with Bluetooth capabilities, estimated at over 8.2 billion devices today [2017]."

<span class="mw-page-title-main">Rafay Baloch</span> Pakistani ethical hacker

Rafay Baloch is a Pakistani ethical hacker and security researcher. He has been featured and known by both national and international media and publications like Forbes, BBC, The Wall Street Journal, and The Express Tribune. He has been listed among the "Top 5 Ethical Hackers of 2014" by CheckMarx. Subsequently he was listed as one of "The 15 Most Successful Ethical Hackers WorldWide" and among "Top 25 Threat Seekers" by SCmagazine. Baloch has also been added in TechJuice 25 under 25 list for the year 2016 and got 13th rank in the list of high achievers. Reflectiz, a cyber security company, released the list of "Top-21 Cybersecurity Experts You Must Follow on Twitter in 2021" recognizing Rafay Baloch as the top influencer. On 23 March 2022, ISPR recognized Rafay Baloch's contribution in the field of Cyber Security with Pride for Pakistan award.

Speculative Store Bypass (SSB) is the name given to a hardware security vulnerability and its exploitation that takes advantage of speculative execution in a similar way to the Meltdown and Spectre security vulnerabilities. It affects the ARM, AMD and Intel families of processors. It was discovered by researchers at Microsoft Security Response Center and Google Project Zero (GPZ). After being leaked on 3 May 2018 as part of a group of eight additional Spectre-class flaws provisionally named Spectre-NG, it was first disclosed to the public as "Variant 4" on 21 May 2018, alongside a related speculative execution vulnerability designated "Variant 3a".

<span class="mw-page-title-main">BlueKeep</span> Windows security hole

BlueKeep is a security vulnerability that was discovered in Microsoft's Remote Desktop Protocol (RDP) implementation, which allows for the possibility of remote code execution.

FORCEDENTRY, also capitalized as ForcedEntry, is a security exploit allegedly developed by NSO Group to deploy their Pegasus spyware. It enables the "zero-click" exploit that is prevalent in iOS 13 and below, but also compromises recent safeguards set by Apple's "BlastDoor" in iOS 14 and later. In September 2021, Apple released new versions of its operating systems for multiple device families containing a fix for the vulnerability.

Log4Shell (CVE-2021-44228) is a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online. Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.

aCropalypse was a vulnerability in Markup, a screenshot editing tool introduced in Google Pixel phones with the release of Android Pie. The vulnerability, discovered in 2023 by security researchers Simon Aarons and David Buchanan, allows an attacker to view an uncropped and unaltered version of a screenshot. Following aCropalypse's discovery, a similar zero-day vulnerability was also discovered, affecting Snip & Sketch for Windows 10 and Snipping Tool for Windows 11.

References

  1. 1 2 3 4 5 6 "Experts Found a Unicorn in the Heart of Android". zimperium.com. July 27, 2015. Retrieved July 28, 2015.
  2. "Stagefright: Everything you need to know about Google's Android megabug".
  3. 1 2 3 "How to Protect from StageFright Vulnerability". zimperium.com. July 30, 2015. Retrieved July 31, 2015.
  4. 1 2 Rundle, Michael (July 27, 2015). "'Stagefright' Android bug is the 'worst ever discovered'". Wired . Retrieved July 28, 2015.
  5. 1 2 3 4 Vaughan-Nichols, Steven J. (July 27, 2015). "Stagefright: Just how scary is it for Android users?". ZDNet . Retrieved July 28, 2015.
  6. 1 2 Hern, Alex (July 28, 2015). "Stagefright: new Android vulnerability dubbed 'heartbleed for mobile'". The Guardian . Retrieved July 29, 2015.
  7. 1 2 3 4 Wassermann, Garret (July 29, 2015). "Vulnerability Note VU#924951 – Android Stagefright contains multiple vulnerabilities". CERT . Retrieved July 31, 2015.
  8. "Android Interfaces: Media". source.android.com. May 8, 2015. Retrieved July 28, 2015.
  9. "platform/frameworks/av: media/libstagefright". android.googlesource.com. July 28, 2015. Retrieved July 31, 2015.
  10. Kumar, Mohit (July 27, 2015). "Simple Text Message to Hack Any Android Phone Remotely". thehackernews.com. Retrieved July 28, 2015.
  11. 1 2 Hackett, Robert (July 28, 2015). "Stagefright: Everything you need to know about Google's Android megabug". Fortune . Retrieved July 29, 2015.
  12. 1 2 3 "Stagefright: Vulnerability Details, Stagefright Detector tool released". zimperium.com. August 5, 2015. Retrieved August 25, 2015.
  13. 1 2 Gruskovnjak, Jordan; Portnoy, Aaron (August 13, 2015). "Stagefright: Mission Accomplished?". exodusintel.com. Retrieved October 8, 2015.
  14. "Stagefright Detector - Apps on Google Play".
  15. Thomas Fox-Brewster (July 30, 2015). "Russian 'Zero Day' Hunter Has Android Stagefright Bugs Primed For One-Text Hacks". Forbes . Retrieved July 31, 2015.
  16. "Stagefright: Scary Code in the Heart of Android". blackhat.com. August 21, 2015. Retrieved August 25, 2015.
  17. "Stagefright: Scary Code in the Heart of Android". defcon.org. August 7, 2015. Retrieved August 25, 2015.
  18. 1 2 "ZHA – Accelerating Roll-out of Security Patches". zimperium.com. August 1, 2015. Retrieved August 25, 2015.
  19. Joshua J. Drake (May 5, 2015). "Change Ie93b3038: Prevent reading past the end of the buffer in 3GPP". android-review.googlesource.com. Retrieved August 25, 2015.
  20. Eric Ravenscraft (August 7, 2015). "Stagefright Detector Detects if Your Phone Is Vulnerable to Stagefright". lifehacker.com. Retrieved August 25, 2015.
  21. "More Stagefright". www.cyanogenmod.org. August 13, 2015. Archived from the original on August 13, 2015. Retrieved August 15, 2015.
  22. "Stagefright 2.0 Vulnerabilities Affect 1 Billion Android Devices". threatpost.com. October 1, 2015. Retrieved October 1, 2015.
  23. Jamie Lendino (July 27, 2015). "950M phones at risk for 'Stagefright' text exploit thanks to Android fragmentation". extremetech.com. Retrieved July 31, 2015.
  24. Jordan Minor (July 30, 2015). "There's (Almost) Nothing You Can Do About Stagefright". PC Magazine . Retrieved July 31, 2015.
  25. Cooper Quintin (July 31, 2015). "StageFright: Android's Heart of Darkness". Electronic Frontier Foundation . Retrieved August 2, 2015.
  26. Phil Nickinson (July 27, 2015). "The 'Stagefright' exploit: What you need to know". Android Central . Retrieved July 29, 2015.
  27. Lucian Armasu (August 6, 2015). "Zimperium Releases Stagefright Vulnerability Detector". Tom's Hardware . Retrieved August 25, 2015.
  28. Joshua Drake (August 5, 2015). "Stagefright: Scary Code in the Heart of Android – Researching Android Multimedia Framework Security" (PDF). blackhat.com. pp. 31–39. Retrieved August 25, 2015.
  29. Jon Oberheide (July 16, 2012). "Exploit Mitigations in Android Jelly Bean 4.1". duosecurity.com. Retrieved July 31, 2015.
  30. Michael Crider (July 28, 2015). "Google Promises a Stagefright Security Update For Nexus Devices Starting Next Week". androidpolice.com. Retrieved July 31, 2015.
  31. Jeff Vander Stoep, Android Security & Privacy Team and Chong Zhang, Android Media Team (May 9, 2019). "Queue Hardening Enhancements". android-developers.googleblog.com. Retrieved September 25, 2019.{{cite web}}: |author= has generic name (help)CS1 maint: multiple names: authors list (link)
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.