Stagefright (bug)

From Infogalactic: the planetary knowledge core
Jump to: navigation, search

<templatestyles src="Module:Hatnote/styles.css"></templatestyles>

File:Stagefright bug logo.png
Logo of the Stagefright library

Stagefright is the collective name for a group of software bugs, that affect versions 2.2 ("Froyo") and newer of the Android operating system, allowing an attacker to perform arbitrary operations on the victim device through remote code execution and privilege escalation.[1] Security researchers demonstrate the bugs with a proof of concept that sends specially crafted MMS messages to the victim device and in most cases requires no end-user actions upon message reception to succeed, while using the phone number as the only target information.[2][3][4][5]

The underlying attack vector exploits certain integer overflow vulnerabilities in the Android's core component called "Stagefright",[6][7][lower-alpha 1] which is a complex software library implemented primarily in C++ as part of the Android Open Source Project (AOSP) and used as a backend engine for playing various multimedia formats such as MP4 files.[5][9]

The discovered bugs have been provided with multiple Common Vulnerabilities and Exposures (CVE) identifiers, CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828, CVE-2015-3829 and CVE-2015-3864 (the latter one has been assigned separately from the others), which are collectively referred to as the Stagefright bug.[10][11][12]

History

The Stagefright bug was discovered by Joshua Drake from the Zimperium security firm, and was publicly announced for the first time on July 27, 2015. Prior to the announcement, Drake reported the bug to Google in April 2015, which incorporated a related bugfix into its internal source code repositories two days after the report.[2][3][4][5] In July 2015, Evgeny Legerov, a Moscow-based security researcher, announced that he found at least two similar heap overflow zero-day vulnerabilities in the Stagefright library, claiming at the same time that the library has been already exploited for a while. Legerov also confirmed that the vulnerabilities he discovered become unexploitable by applying the patches Drake submitted to Google.[1][13]

The public full disclosure of the Stagefright bug, presented by Drake, took place on August 5, 2015 at the Black Hat USA[14] computer security conference, and on August 7, 2015 at the DEF CON 23[15] hacker convention.[5] Following the disclosure, on August 5, 2015 Zimperium publicly released the source code of a proof-of-concept exploit, actual patches for the Stagefright library (although the patches were already publicly available since early May 2015 in the AOSP and other open-source repositories[16][17]), and an Android application called "Stagefright detector" that tests whether an Android device is vulnerable to the Stagefright bug.[11][18]

As of August 3, 2015, only a few products have been actually patched against the bug: Blackphone's PrivatOS since its version 117, nightly releases of the CyanogenMod 12.0 and 12.1,[19] Sprint's variant of the Samsung Galaxy Note 4,[20] the Moto E, G, and X, Droid Maxx, Mini, and Turbo,[21] and Mozilla Firefox since its version 38 (and Firefox OS since 2.2)[22] (this web browser internally uses Android's Stagefright library).[3][4][23]

On August 13, 2015, another Stagefright vulnerability CVE-2015-3864 was published by Exodus Intelligence.[12] This vulnerability was not mitigated by existing fixes of already known vulnerabilities. CyanogenMod team published a notice that patches for CVE-2015-3864 have been incorporated in CyanogenMod 12.1 source on August 13, 2015.[24]

On October 1st, 2015, Zimperium released details of further vulnerabilities, also known as Stagefright 2.0. This vulnerability affects specially crafted MP3 and MP4 files that execute their payload when played using the Android Media server. The vulnerability has been assigned identifier CVE-2015-6602 and was found in a core Android library called libutils; a component of Android that has existed since Android was first released. Android 1.5 through 5.1 are vulnerable to this new attack and it is estimated that one billion devices are affected.[25]

Implications

While Google maintains the Android's primary codebase, firmware updates for various Android devices are the responsibility of wireless carriers and original equipment manufacturers (OEMs). As a result, propagating patches to the actual devices often introduces long delays due to a large fragmentation between the manufacturers, device variants, Android versions, and various Android customizations performed by the manufacturers;[26][27] furthermore, many older or lower cost devices may never receive patched firmware at all.[28] Many of the unmaintained devices would need to be rooted, which violates the terms of many wireless contracts. Therefore, the nature of Stagefright bug highlights the technical and organizational difficulties associated with the propagation of Android patches.[3][29]

As an attempt to address the delays and issues associated with the propagation of Android patches, on August 1, 2015 Zimperium formed the Zimperium Handset Alliance (ZHA) as an association of different parties interested in exchanging information and receiving timely updates on Android's security-related issues. Members of the ZHA also received source code of the Zimperium's proof-of-concept Stagefright exploit before it was publicly released. As of August 6, 2015, 25 of the largest Android device OEMs and wireless carriers have joined the ZHA.[11][16][30]

Mitigation

Certain mitigations of the Stagefright bug exist for devices that run unpatched versions of Android, including disabling the automatic retrieval of MMS messages and blocking the reception of text messages from unknown senders. However, these two mitigations are not supported in all MMS applications (the Google Hangouts app, for example, only supports the former),[1][3] and they do not cover all feasible attack vectors that make exploitation of the Stagefright bug possible by other means, such as by opening or downloading a malicious multimedia file using the device's web browser.[6][31]

Further mitigation comes from some of the security features built into newer versions of Android that may help in making exploitation of the Stagefright bug more difficult; an example is the address space layout randomization (ASLR) feature that was introduced in Android 4.0 "Ice Cream Sandwich" and fully enabled in Android 4.1 "Jelly Bean".[6][32] The latest version of Android 5.1 "Lollipop" includes patches against the Stagefright bug.[10][33]

See also

  • Android version history – a list and descriptions of the released versions of Android
  • Phishing – the attempt to acquire sensitive information by masquerading as a trustworthy entity in an electronic communication

Notes

  1. Internally, the library is referred to as libstagefright.[8]

References

  1. 1.0 1.1 1.2 Lua error in package.lua at line 80: module 'strict' not found.
  2. 2.0 2.1 Lua error in package.lua at line 80: module 'strict' not found.
  3. 3.0 3.1 3.2 3.3 3.4 Lua error in package.lua at line 80: module 'strict' not found.
  4. 4.0 4.1 4.2 Lua error in package.lua at line 80: module 'strict' not found.
  5. 5.0 5.1 5.2 5.3 Lua error in package.lua at line 80: module 'strict' not found.
  6. 6.0 6.1 6.2 Lua error in package.lua at line 80: module 'strict' not found.
  7. Lua error in package.lua at line 80: module 'strict' not found.
  8. Lua error in package.lua at line 80: module 'strict' not found.
  9. Lua error in package.lua at line 80: module 'strict' not found.
  10. 10.0 10.1 Lua error in package.lua at line 80: module 'strict' not found.
  11. 11.0 11.1 11.2 Lua error in package.lua at line 80: module 'strict' not found.
  12. 12.0 12.1 Lua error in package.lua at line 80: module 'strict' not found.
  13. Lua error in package.lua at line 80: module 'strict' not found.
  14. Lua error in package.lua at line 80: module 'strict' not found.
  15. Lua error in package.lua at line 80: module 'strict' not found.
  16. 16.0 16.1 Lua error in package.lua at line 80: module 'strict' not found.
  17. Lua error in package.lua at line 80: module 'strict' not found.
  18. Lua error in package.lua at line 80: module 'strict' not found.
  19. Lua error in package.lua at line 80: module 'strict' not found.
  20. Lua error in package.lua at line 80: module 'strict' not found.
  21. https://motorola-global-portal.custhelp.com/app/answers/prod_answer_detail/a_id/106654
  22. Lua error in package.lua at line 80: module 'strict' not found.
  23. Lua error in package.lua at line 80: module 'strict' not found.
  24. Lua error in package.lua at line 80: module 'strict' not found.
  25. Lua error in package.lua at line 80: module 'strict' not found.
  26. Lua error in package.lua at line 80: module 'strict' not found.
  27. Lua error in package.lua at line 80: module 'strict' not found.
  28. Lua error in package.lua at line 80: module 'strict' not found.
  29. Lua error in package.lua at line 80: module 'strict' not found.
  30. Lua error in package.lua at line 80: module 'strict' not found.
  31. Lua error in package.lua at line 80: module 'strict' not found.
  32. Lua error in package.lua at line 80: module 'strict' not found.
  33. Lua error in package.lua at line 80: module 'strict' not found.

External links