A Preliminary Study on the high-risk vulnerability of Android Stagefright

A Preliminary Study on the high-risk vulnerability of Android Stagefright

Collation

The Stagefright vulnerability can cause remote code execution, or even sending MMS messages, which may intrude into users' mobile devices. This sounds like a big loophole. As a security personnel, you must take a look at the inside story.

Heavy lifting

According to the news, for some reasons, the discoverer of the vulnerability has not published relevant details, but has decided to leave it on BlackHat for further details. That is to say, it is known that the Stagefright inventory of the Android system has a major security problem. What is it? Want to know how to perform Fuzz.

Although, it seems that there is no clue about the details of the vulnerability. However, as a security personnel, the first thing we must firmly believe is that there is no impervious wall in the world! After carefully studying the press release of the vulnerability, we can find that the vulnerability has been submitted to Google and quickly fixed by Google. At the same time, it was found that Google has handed over vulnerability-related information to some partners. After reading this, you can confirm that this vulnerability is still available.

Since Google has fixed this vulnerability in the source code. First, check the submission status of Google's source code.

 

I simply read the submitted log. I found some fixes for libstagefright security issues, but most of them are concise and difficult to determine.

Liu yinghuaming

It seems that it is not easy to start with Google. Fortunately, Google has handed over the vulnerability-related information to its partners, so we found a message published by CyanogenMod.

 

That is to say, the vulnerability has been fixed in CM12!

Shunteng

Then, we found the submission record of CM12 on github.

 

As you can see, in the recent submission of CM12, all vulnerabilities related to Stagefright are repaired. Based on these fixes, you will have some knowledge about the vulnerabilities!

Loose

We made a simple analysis on some of the repair solutions.

Bug: 20139950

 

The bug is located in the SampleTable: setSampleToChunkParams function of the frameworks/av/media/libstagefright/SampleTable. cpp file. The bug is described and fixed. It is because the mNumSampleToChunkOffets value is too large and may cause overflow. The related code is as follows:

 

Note the red line. The access may be out of bounds. This causes security issues.

Bug: 20139950

 

This bug is found in the ESDS: parseESDescriptor function of frameworks/av/media/libstagefright/ESDS. cpp. It can be seen from the description and repair code that the variable verification is not strict During the parsing process, which may cause cross-border access.

Bug: 20923261

 

This vulnerability is generated in the MPEG4Extractor: parseChunk function of frameworks/av/media/libstagefright/MPEG4Extractor. cpp. You can see the full picture of the vulnerability. When chunk_data_size is smaller than kSkipBytesOfDataBox, the red line will become a negative number. Because the last parameter type of setData is size_t, it will be parsed into a large positive number, resulting in errors.

The causes of other vulnerabilities are similar, so we will not describe them one by one.

Summary

An overview of all the repair code and the cause of the vulnerability are all due to the complete data verification. Only Stagefright was exposed. Considering that the Android system contains a large number of file parsing code, including image, compressed package, audio, video, and other decoding libraries. Have these databases strictly verified the data during File Parsing? Will there be another serious bug in audio decoding tomorrow? This should be a question worthy of consideration by developers and security practitioners.