Stagefright Bug

The Android Stagefright bug is not squashed. Although Google released patches for Hangouts and messenger, there are many ways a malicious mp4 file can open on your device. Zimperium has released the source code of the bug, which allows a person to generate a malicious mp4 file and use the exploit.


Here is what they said:

During the months of June and July, Joshua J. Drake developed a working exploit to prove the Stagefright vulnerability can allow Remote Code Execution (RCE) without user interaction. We are pleased to finally make this code available to the general public so that security teams, administrators, and penetration testers alike may test whether or not systems remain vulnerable.

What follows is a python script that generates an MP4 exploiting the ‘stsc’ vulnerability otherwise known as CVE-2015-1538 (#1). This is one of the most critical vulnerabilities we reported in the Stagefright library. The expected result of the exploit is a reverse shell as the media user. As detailed in Joshua Drake’s Black Hat and DEFCON presentations, this user has access to quite a few groups such as inet, audio, camera, and mediadrm. These groups allow an attacker to take pictures or listen to the microphone remotely without exploiting additional vulnerabilities.

This exploit has several caveats. First, it is not a generic exploit. We only tested it to work on a single device model. We tested this exploit on a Nexus running Android 4.0.4. Also, due to variances in heap layout, this is not a 100% reliable exploit by itself. We were able achieve 100% reliability when delivered through an attack vector that allowed multiple attempts. Finally, this vulnerability was one of several that was neutered by GCC 5.0’s ‘new[]’ integer overflow mitigation present on Android 5.0 and later.

This means that the code is only tested for Android 4.0.4 Ice Cream Sandwich, and users on Android 5.1 Lollipop or higher are not vulnerable to the released code for now.

While we do have the code for testing purposes, we do not intend on sharing it as Zimperium has already done so.

“Exploits don’t hack people, people hack people,” Drake, Zimperium.