Attack code for critical Android Stagefright flaw published
After having graciously waited for quite a while to publish the exploit for the Android Stagefright vulnerability (CVE-2015-1538) so that Google, mobile carriers and device manufacturers might push out a patch and protect users, Zimperium researchers have released the code on Wednesday.
The company announced the existence of the bug in late July, and researcher Joshua Drake demonstrated how the vulnerability can be exploited via multiple attack vectors on Black Hat and DEF CON in August.
The vulnerability affects Stagefright, the Android media library that processes several popular media formats, and could allow attackers to take control of the target’s mobile device by simply sending him or her a specially crafted media file via MMS. The bug initially affected 95% of all Android devices.
Google tried to patch it in mid-August, but the patch they pushed out ultimately did not provide a complete defense against it.
But, the fact that the vulnerability is easily exploited without the users’ knowledge and that it affected such a large percentage of Android devices has spurred Google to announce that it will improve security updating for its Nexus devices, and Samsung followed suit by stating that they will implement a new Android security update process that fast tracks the security patches over the air when security vulnerabilities are uncovered.
Both companies promised security updates will be pushed out once per month.
Zimperium released the working exploit code – a Python script – to allow security teams, administrators, and penetration testers to test whether or not systems for whose security they are responsible remain vulnerable.
The script generates an MP4 file that can exploit the Stagefright vulnerability without any user interaction, and which could allow the attacker to take pictures with the device’s camera or listen in via the device’s microphone.
The exploit works on a Nexus running Android 4.0.4, but can be tweaked to work on other devices and OS versions, but not on versions Android 5.0 and later, since they have mitigations for integer overflow attacks.