Search This Blog

Monday, March 21, 2016

Android Ecosystem Fails Meatware (Week 2)

In July 2015, security firm Zimperium published a series of critical remote code execution vulnerabilities in the Android media playback engine that were found in April 2015. This vulnerability was called Stagefright. Stagefright is a media library within Android that allows the operating system to interpret various media, namely video files, audio files, and picture files, which was delivered through a Multimedia Messaging System (MMS). This vulnerability was considered difficult for attackers due to the use of Address Space Layout Randomization (ASLR) on newer Android versions, a technique to protect against memory-based attacks. Continued criticism of Andriod’s slow patching process, Google and Samsung pledged to release new security updates for Android every month. However, subsequent to publishing the details, multiple patches and vulnerabilities continued through December 2015 (Jeg, 2015).

Building on previous work, NorthBit researchers develop a more practical exploit that is fast, reliable and stealthy. The new exploit is named Metaphor and it is a nonspecific for Stagefright. Previous Stagefright exploits used MMS, however Metaphor relies on JavaScript, thus user interaction is required to compromise the device. This specific vulnerability involves parsing MPEG-4 files and causing a heap overflow (Be’er, 2016).

Below is the the general idea how Metaphor enables a hacker to take control of a Android device (Shekhar, 2016):
  • it tricks the user into visiting a malicious site,
  • the malicious site contains a multimedia file,
  • the media file resets the internal state of the phone,
  • attackers server sends a custom generated video file that exploits the vulnerability to gather the device’s information,
  • hacker uses the compromised systems information to further exploitation.

Metaphor works against Android versions 2.2 through 4.0 and 5.0 and 5.1, which together are estimated to run 275 million phones (Goodin, 2016). While Google has patched and continues to patch the Stagefright flaws, many will not be fixed. Android users have to rely on carriers and device manufacturers to push the updates and is adapted by each vendor. In addition, Android versions 2.2 through 4.0 are not supported any longer. The underlining issue is that the carriers and hardware partners have the control, unlike Apple. Apple had 70 percent adoption of iOS 9 within 2.5 months of releasing the operating system because it controls both the software and hardware (Jeg, 2016). Android is not an ecosystem, but fragmented schizophrenic allowing anyone and anything to do what they please without supervision.

NorthBit White Paper: https://www.exploit-db.com/docs/39527.pdf

Metaphor - Stagefright Exploitation Breaking ASLR


References:

Goodin, D. (2016, March 18). 275 million Android phones imperiled by new code-execution exploit. Retrieved March 21, 2016, from http://arstechnica.com/security/2016/03/275-million-android-phones-imperiled-by-new-code-execution-exploit/

Rashid, F. Y. (2016, March 18). New exploit spotlights Android's Stagefright vulnerability. Retrieved March 21, 2016, from http://www.infoworld.com/article/3045383/security/new-exploit-spotlights-androids-stagefright-vulnerability.html

Plummer, Q. (2016, March 19). Stagefright Exploit Is Back And Millions Of Android Devices Are Vulnerable: What You Should Know. Retrieved March 21, 2016, from http://www.techtimes.com/articles/142157/20160319/stagefright-exploit-is-back-and-millions-of-android-devices-are-vulnerable-what-you-should-know.htm

Shekhar, A. (2016, March 17). Metaphor — Here’s How This Remote Android Exploit Hacks Your Phone In 10 Seconds. Retrieved March 21, 2016, from http://fossbytes.com/millions-of-devices-under-threat-a-new-remote-android-hacking-exploit-arrives/


Be'er, H. (n.d.). 39527 [PDF]. NorthBit.

No comments:

Post a Comment