Android StageFright vulnerability attack: androidstagefright
1. Introduction
Zimperium, a network security organization, recently discovered the most serious vulnerability in Android history. This vulnerability is expected to affect 95% of Android devices, attackers can exploit this vulnerability to remotely manipulate mobile phone microphones, steal files, view emails, and obtain personal certificates. This vulnerability exists in all versions of Android 2.2 to 5.1.
2. How to trigger a vulnerability attack
This vulnerability is not active and does not need to be triggered manually. It is highly concealed.
Trigger method:
(1) A video that detects this vulnerability in any way will trigger this vulnerability, including but not limited to receiving this video via MMS or QQ.
(2) view the video
Use the File Manager to browse the video.
(3) play the video
This video is played by a player written by the Android MediaFramework API.
Use Chrome to play this video online
(4) boot
3. Vulnerability description
This vulnerability is caused by Android StageFright Buffer Overflow.
Example: (Nexus 5, Android 5.1.1)
The newly discovered vulnerability is especially dangerous because it is not vulnerable to phishing attacks. Attackers need to open files or links sent by attackers to infect them, even if the victim does nothing, it can secretly intrude into the device and erase the evidence before the user discovers it.
The Stagefright vulnerability is assigned to the following CVE instances:
CVE-2015-1538
CVE-2015-1539
CVE-2015-3824
CVE-2015-3826
CVE-2015-3827
CVE-2015-3828
CVE-2015-3829
4. Solution
Although Google submitted a vulnerability patch for Zimperium, users cannot receive the patch update within a short time.
In addition, CyanogenMod can be seen from the submission that some vulnerabilities have been fixed.
According to the commit update of CM, it can be seen that the memory leakage is caused when the Parser part of StageFright's MEPG4Extractor. cpp processes Metadata.
Https://github.com/CyanogenMod/android_frameworks_av/commits/cm-12.0
Main functions:
Parse3GPPMetaData
ParseChunk
status_t MPEG4Extractor::parse3GPPMetaData(off64_t offset, size_t size, int depth) {- if (size < 4) {+ if (size < 4 || size == SIZE_MAX) { return ERROR_MALFORMED; }- uint8_t *buffer = new (std::nothrow) uint8_t[size];+ uint8_t *buffer = new (std::nothrow) uint8_t[size + 1];
+ if (size < 6) {+ return ERROR_MALFORMED;+ }+
parseChunk:+ if (SIZE_MAX - chunk_size <= size)+ return ERROR_MALFORMED;+ const int kSkipBytesOfDataBox = 16;+ if (chunk_data_size <= kSkipBytesOfDataBox) {+ return ERROR_MALFORMED;+ }+ mFileMetaData->setData(
Copyright Disclaimer: This article is an original article by the blogger and cannot be reproduced without the permission of the blogger.