Documente Academic
Documente Profesional
Documente Cultură
Researching and
Exploiting Stagefright
Joshua "jduck" Drake
April 9th, 2016
InfoSec Southwest
Agenda
Introduction
Summary of Prior Work
Events Since Disclosure
Including Android N Changes!
Android Exploitability
Exploit Walkthroughs
CVE-2015-1538 - stsc
CVE-2015-3824 - tx3g
CVE-2015-3876 + CVE-2015-6602 - ID3
Conclusions
Lessons Learned from Researching and Exploiting Stagefright InfoSec Southwest 2016
Joshua "jduck" Drake Zimperium Inc. All rights reserved.
Introduction
About the presenter and this research
Motivations
1. Improve the overall state of mobile security
1. Discover and eliminate critical vulnerabilities
2. Spur mobile so ware update improvements
2. Increase visibility of risky code in Android
3. Put the Droid Army to good use!
While this research has definitely led to improvements big
and small, there is still plenty of work to be done.
You will see what remains in this talk.
Lessons Learned from Researching and Exploiting Stagefright InfoSec Southwest 2016
Joshua "jduck" Drake Zimperium Inc. All rights reserved.
Acknowledgements
This work was sponsored by Accuvant Labs (now Optiv) with
continuing support from Zimperium.
&
Special thanks go to Amir Etemadieh of Optiv / Exploiteers.
Additional thanks to Collin Mulliner, Mathew Solnik, and
Daniel Micay.
Thanks to the ISSW organizers for giving me the opportunity
to speak here today!
Lessons Learned from Researching and Exploiting Stagefright InfoSec Southwest 2016
Joshua "jduck" Drake Zimperium Inc. All rights reserved.
What is Stagefright?
Android Multimedia Framework library
Written primarily in C++
Handles all video and audio files
Provides playback facilities - e.g. {Nu,Awesome}Player
Extracts metadata for the Gallery, etc.
Now also the name of "a vulnerability" that made waves.1
An attacker could obtain elevated privileges on an
aected Android device, unbeknownst to the victim, with
only a single MMS.
1. https://en.wikipedia.org/wiki/Stagefright_%28bug%29
See my 2015 talk slides for more introductory information. (link at end)
Lessons Learned from Researching and Exploiting Stagefright InfoSec Southwest 2016
Joshua "jduck" Drake Zimperium Inc. All rights reserved.
System Architecture
Android is very modular
Things run in separate
processes
Lots of inter-process
communications
"Sandbox" relies on Linux
users and groups
libstagefright executes inside
"MEDIA SERVER"
Picture from Android Interfaces in the Android Developer documentation
Lessons Learned from Researching and Exploiting Stagefright InfoSec Southwest 2016
Joshua "jduck" Drake Zimperium Inc. All rights reserved.
mediaserver Overview
A native system service that runs in the background.
It automatically restarts when it crashes!
Privileges vary per-device-model: high to crazy high
Access to audio, camera, internet, bluetooth on all
Has system group on 50% of devices in the droid army
Has input, shell, or radio on a minority
In short, mediaserver is a very attractive target.
NOTE: See my 2015 talk slides for more system architecture and privilege details. (link at end)
Lessons Learned from Researching and Exploiting Stagefright InfoSec Southwest 2016
Joshua "jduck" Drake Zimperium Inc. All rights reserved.
10
11
Scope of My Work
Stagefright is big and supports a wide variety of multimedia
file formats.
However, I believe in focusing in on smaller areas of code
and testing them very well. To settle the dierence, I:
1. Originally focused on only MPEG4 handling
2. Later looked at ID3 and MP3 handling
3. Tested these areas of code in isolation
Further, I only focused on metadata processing (think of
image preview).
I never tested code paths that require playback.
Lessons Learned from Researching and Exploiting Stagefright InfoSec Southwest 2016
Joshua "jduck" Drake Zimperium Inc. All rights reserved.
12
Vulnerability Discovery
My strategy: fuzz, analyze, audit, fix bugs, repeat...
Round One: A dumb fuzzer + a tiny MP4 + MediaScanner
Found crashes, but none that looked serious
Discovered 5 vulns reading surrounding code
Round Two: American Fuzzy Lop
Ported code to Linux, Ran on beefy hardware
Found vulns from round one, plus 5 more critical vulns
Discovered some fixes from 5.x were bogus!!
NOTE: See my 2015 talk slides for more details. (link at end)
Use AFL!! http://lcamtuf.coredump.cx/afl/
Lessons Learned from Researching and Exploiting Stagefright InfoSec Southwest 2016
Joshua "jduck" Drake Zimperium Inc. All rights reserved.
13
Exploit Development
I wrote two exploits for Stagefright vulnerabilities.
I released one (CVE-2015-1538) last fall.1
An MP4 file generator
Targets Galaxy Nexus on Android 4.0.1
I will release another one (CVE-2015-3824) soon!
Yields remote kernel via the browser and works on:
Nexus 6 running Android 5.1 (LMY47M)
Nexus 5 running Android 5.1.1 (LMY48B)
Will be released as a Metasploit module (contribute!)
We wil discuss these in detail later...
1. https://github.com/jduck/cve-2015-1538-1
Lessons Learned from Researching and Exploiting Stagefright InfoSec Southwest 2016
Joshua "jduck" Drake Zimperium Inc. All rights reserved.
14
15
16
Zimperium Eorts
Zimperium Handset Alliance (ZHA)
Notify shippers of Android simultaneously
Over 25 carriers, OEMs, etc have already joined!
Stagefright Detector App
Released shortly before BlackHat USA 2015
Tests devices for 9 CVEs non-intrusively
Anonymous data collected, see recent blog post
10 additional vulns reported (including Stagefright 2.0)
CTS tests created and upstreamed
Detection capabilities added to our products
More to come...
Lessons Learned from Researching and Exploiting Stagefright InfoSec Southwest 2016
Joshua "jduck" Drake Zimperium Inc. All rights reserved.
17
18
Community Eorts
The security researcher community really stepped up!
Total as of April 2016:
69 CVEs, 110 ANDROID-ids, 132 Patches
Critical: 39 CVEs, 64 ANDROID-ids, 77 Patches
High: 27 CVEs, 41 ANDROID-ids, 50 Patches
Low: 3 CVEs, 5 ANDROID-ids, 5 Patches
Other great content too!
Several write-ups
Wooyun, Fortinet, Exodus, NCC Group, NorthBit
3+ Exploits published
Ours, Project Zero, NorthBit Metaphor
Lessons Learned from Researching and Exploiting Stagefright InfoSec Southwest 2016
Joshua "jduck" Drake Zimperium Inc. All rights reserved.
19
20
Android N Changes
Google split mediaserver into multiple components!
audioserver
cameraserver
mediacodec
mediadrm
mediaex
media
565
566
571
572
573
574
1
1
1
1
1
1
60448
16160
33680
16720
41840
60800
9100
3472
4576
3672
4740
8392
... S /system/bin/audioserver
... S /system/bin/cameraserver
... S media.codec
... S /system/bin/mediadrmserver
... S media.extractor
... S /system/bin/mediaserver
Android Exploitability
What stands in the way?
22
23
Crucial Components
Certain system properties are critical to understand for
exploitation.
ASLR Quality (entropy) - kernel
Heap implementation details - libc
It is diicult (some argue impossible) to eliminate all
vulnerabilities in a code base.
Hardening critical system components can preventing
successful attacks.
Other system-wide mitigations exist and can help too...
Lessons Learned from Researching and Exploiting Stagefright InfoSec Southwest 2016
Joshua "jduck" Drake Zimperium Inc. All rights reserved.
24
Mitigation Summary
Mitigation
Applicability
SELinux
N/A 1
Stack Cookies
N/A
FORTIFY_SOURCE
N/A
ASLR
NX
N/A 2
1. Only comes into play on some devices and only a er achieving arbitrary code execution.
2. Only aects some of the vulnerabilities. It still leads to DoS.
Lessons Learned from Researching and Exploiting Stagefright InfoSec Southwest 2016
Joshua "jduck" Drake Zimperium Inc. All rights reserved.
25
26
27
Exploit Walkthrough I
CVE-2015-1538 - MP4 stsc Integer Overflow
28
// 12 bytes per
// OOPS!
29
30
31
32
33
34
35
36
37
38
Exploit Walkthrough II
CVE-2015-3824 - MP4 tx3g Integer Overflow
39
40
if (size > 0) {
memcpy(buffer, data, size);
}
if ((size_t)(mDataSource->readAt(*offset, buffer + size,
chunk_size))
size = num_write - 8
chunk_size = 0xffffffff - num_write + num_alloc + 1
Lessons Learned from Researching and Exploiting Stagefright InfoSec Southwest 2016
Joshua "jduck" Drake Zimperium Inc. All rights reserved.
41
Lessons Learned from Researching and Exploiting Stagefright InfoSec Southwest 2016
Joshua "jduck" Drake Zimperium Inc. All rights reserved.
42
43
44
45
Lessons Learned from Researching and Exploiting Stagefright InfoSec Southwest 2016
Joshua "jduck" Drake Zimperium Inc. All rights reserved.
46
48
A note on CVE-2015-3864
I missed that chunk_size is 64-bit and can be above 2^32.
Using such a value, it was possible to bypass my check:
1896
1897
1898
49
On CVE-2015-3876 + CVE-2015-6602
Is "Stagefright 2.0" exploitable?
50
On CVE-2015-3876 + CVE-2015-6602
Two CVEs assigned
CVE-2015-3876 in ID3 parsing code (MP3 or MP4)
Ended up passing -1 to a String8 constructor
CVE-2016-6602 in libutils String8::allocFromUTF8
Took the length, added one, allocated memory
The vulnerable primitive is a bit annoying:
buffer = malloc(0);
memcpy(buffer, user_input, -1);
buffer[-1] = 0;
Lessons Learned from Researching and Exploiting Stagefright InfoSec Southwest 2016
Joshua "jduck" Drake Zimperium Inc. All rights reserved.
51
52
53
Conclusions
What are the key takeaways?
54
Final Conclusions
1. Take care when changing heap implementations.
Changes here can weaken your security posture.
2. Thinking outside the box can make your exploit better!
Controlling the environment can influence your target!
3. Diversity is a thorn, but can be dealt with
Android Browser user agents are very helpful!
4. Mitigations are not a silver bullet
Especially when multiple attempts are possible
5. Vendors using Android need to
Be more proactive in finding / fixing flaws
Be more aggressive in deploying fixes
6. The Android code base needs more attention. BBMFTW!
Lessons Learned from Researching and Exploiting Stagefright InfoSec Southwest 2016
Joshua "jduck" Drake Zimperium Inc. All rights reserved.
55
Lessons Learned from Researching and Exploiting Stagefright InfoSec Southwest 2016
Joshua "jduck" Drake Zimperium Inc. All rights reserved.
56
Lessons Learned from Researching and Exploiting Stagefright InfoSec Southwest 2016
Joshua "jduck" Drake Zimperium Inc. All rights reserved.
57