Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Android Stagefright Exploit Released

Enterprise mobile security firm Zimperium has published an exploit for one of the most critical Android Stagefright vulnerabilities disclosed this summer.

Enterprise mobile security firm Zimperium has published an exploit for one of the most critical Android Stagefright vulnerabilities disclosed this summer.

The existence of several serious vulnerabilities in Android’s libstagefright media library was brought to light in July by Zimperium. Experts initially estimated that the vulnerabilities, which affect all Android versions since 2.2, impacted roughly 950 million devices.

After the security firm’s initial disclosure of the bugs, several other researchers reported uncovering libstagefright and other mediaserver flaws.

The list of CVE identifiers assigned to Stagefright vulnerabilities includes CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828, CVE-2015-3864 and CVE-2015-3829.

Google and other affected vendors released patches and Zimperium published a Stagefright detector app to help Android users determine if their devices are vulnerable.

The security firm announced on Wednesday that it has released a proof-of-concept exploit designed to show that CVE-2015-1538 can be exploited for remote code execution without user interaction. The exploit, available as a Python script, can be used by administrators, security teams and pentesters to determine if systems remain vulnerable or not, Zimperium said.

“This is one of the most critical vulnerabilities we reported in the Stagefright library. The expected result of the exploit is a reverse shell as the media user,” Zimperium explained in a blog post. “As detailed in Joshua Drake’s Black Hat and DEFCON presentations, this user has access to quite a few groups such as inet, audio, camera, and mediadrm. These groups allow an attacker to take pictures or listen to the microphone remotely without exploiting additional vulnerabilities.”

The company has pointed out that the exploit has only been tested on a Nexus device running Android 4.0.4 and it’s not 100 percent reliable by itself.

Shortly after the existence of the Stagefright vulnerabilities came to light, Google announced its intention to release monthly security updates for its Nexus devices. The August updates addressed many of the Stagefright flaws, but researchers soon discovered that the patch for CVE-2015-3824 was flawed.

Google has assigned CVE-2015-3864 to the new issue, which the company is expected to fix with the next round of updates.

The Stagefright vulnerabilities have had a negative impact on the already bad security reputation of the Android ecosystem. That is why several device vendors, including Samsung, LG and Motorola, have promised to step up their game and release regular security updates to ensure that users are protected.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.