Imagine remotely executing code by sending an MMS to your victim, crazy right? It’s not that crazy now, considering that researcher Joshua J. Drake just discovered a very intrusive vulnerability in the Android operating system. It is estimated that this vulnerability exposes 95% of all Android devices.
Stagefright is a library in Android that is responsible for all the media processing. It provides a playback engine and the codecs necessary to playback a variety of media formats. Media processing is a very resource intensive functionality which needs to run as efficient as possible. In order to achieve this, the library is implemented in the C-language (native code). This language is, in contrast with Java, an unsafe language. The reason C is considered unsafe, is due to the fact that a developer writing C code is responsible for controlling the memory region that his code needs. This gives possibilities to a variety of vulnerabilities that can arise due to insufficient bound checks on input data that is being handled by a C routine. The vulnerability in the Stagefright library is an example of a memory vulnerability, which allows an attacker to perform remote code execution.
The Stagefright vulnerability
Not a lot of technical details are known about the vulnerability. This is probably because the vulnerability is going to be presented at Black Hat USA on August 5 and DEF CON 23 on August 7. However, it seems that the specific attacks that are possible, are the attacks that researchers call a ‘buffer overflow attack“. It seems that Cyanogenmod already provided some patches, the following figure shows the patches for the MPEG4 processing module of Stagefright. The commit comes with a comment that describes a part of the vulnerability in some technical details:
When the ‘chunk_data_size’ variable is less than ‘kSkipBytesOfDataBox’, an integer underflow can occur. This causes an extraordinarily large value to be passed to MetaData::setData, leading to a buffer overflow.
Should I be scared?
No, it’s a serious issue, but you should not go all paranoid. Some precautions can be taken to prevent an attack from executing successfully. In orde to trigger the exploit in the Stagefright library, you’d have to execute media first. For the case of SMS/MMS, just disable MMS. Don’t play content that you don’t trust, this includes but is not limited to: MMS (why even use those?), URLs or content from spam e-mails, strange looking URLs that load in the browser, etc. Using some common sense could bring you a long way.
That’s for the common sense part. Now the technical part is somewhat more reassuring. Android has several security boundaries built-in to contain and block memory exploits from successfully executing. Without going in a lot of details, some of the countermeasures are ASLR and DEP. Which make a memory attack quite difficult to execute, and for the real technical part I refer to a previous article I wrote, on another Android vulnerability. This proves that it is a very intrusive vulnerability but it is not something that should keep you awake at night ;-)
Who is to blame?
Collin Mulliner, senior research scientist at Northeastern University, said in an interview, “In this case Google is not the actual one to blame. It’s ultimately the manufacturer of your phone, in combination possibly with your carrier…If you can save money by not producing updates, you’re not going to do that. Since the market is moving that fast, it sometimes doesn’t make sense for the manufacturer to provide an update.”