Experts at software research firm NorthBit have developed what they believe to be a reliable exploit for a Stagefright vulnerability affecting Google’s Android operating system.
In July 2015, mobile security firm Zimperium reported finding a series of critical remote code execution vulnerabilities in the Android media playback engine Stagefright. The issues reportedly affected 950 million devices, but in many cases they were difficult to exploit, especially in Android 4.1 and later, which include Address Space Layout Randomization (ASLR) mitigations.
Zimperium published a proof-of-concept exploit for CVE-2015-1538 to allow administrators, security teams and penetration testers to determine if a system is vulnerable, but the company noted at the time that the exploit was not 100 percent reliable and it had only been succesfully tested on a device running Android 4.0.4.
In September 2015, Google researchers developed an exploit for CVE-2015-3864, the identifier assigned to an integer overflow triggered in libstagefright during MPEG4 tx3g data processing (CVE-2015-3824) whose initial patch was flawed. The exploit from Google could bypass ASLR with brute force and had a success rate of roughly 4 percent per minute.
Experts believed this success rate was reasonable if the exploit would be used, for example, in a watering hole attack where victims would likely spend more time on the malicious page. However, Google researchers admitted that it could be more elegant, reliable and effective to use a more sophisticated technique to bypass ASLR.
Building on Google’s work, NorthBit researchers have attempted to develop a more practical exploit that is fast, reliable and stealthy. The new exploit, dubbed “Metaphor,” is said to work not only on devices running Android 2.2 through 4.0, but also Android 5.0 through 5.1 on which it bypasses ASLR protections. Experts demonstrated that Metaphor can be practically exploited in the wild against potentially hundreds of millions of Android devices.
For the exploit to work, the attacker needs to lure the targeted user to a malicious website. This can be accomplished via a specially set up website, a hijacked site, cross-site scripting (XSS) vulnerabilities, ads displayed in <script> or <iframe> tags, and drive-by attacks.
NorthBit pointed out that since the exploited vulnerability affects media parsing, the victim does not need to play a malicious media file. Instead, all they need to do is parse it — the process in which video length, artist name, title and other metadata is retrieved.
However, for the attack to work, the attacker must trick the victim into spending some time on a malicious web page, a task that can be easily achieved via social engineering, as shown by researchers in a video of the Metaphor exploit in action.
The Metaphor exploit works best on a Nexus 5 smartphone with stock ROM, but it has also been tested on HTC One, LG G3 and Samsung Galaxy S5 devices. Researchers noted that the exploit is not universal as exploitation differs slightly from one vendor to another.
While Google has patched and continues to patch Stagefright flaws, many Android devices will never get the fixes, leaving millions of users vulnerable to attacks.
“Patching application vulnerabilities is especially challenging for the Android community with the number of different manufactures and carriers charged with the responsibility of issuing patches to devices,” Chris Eng, VP of Research at Veracode, told SecurityWeek.
A paper describing the technical details of Metaphor has been made available by researchers.