Stagefright Patch Incomplete and Zero Day in Android Google Admin App Found

msm1267 writes: A patch distributed by Google for the infamous Stagefright vulnerability found in 950 million Android devices is incomplete and users remain exposed to simple attacks targeting the flaw. Researchers at Exodus Intelligence discovered the issue in one of the patches submitted by Zimperium zLabs researcher Joshua Drake. Google responded today by releasing a new patch to open source and promising to distribute it next month in a scheduled OTA update for Nexus devices and to its partners. Drake's original patch failed to account for an integer discrepancy between 32- and 64-bit, Exodus Intelligence said. By inputting a specific 64-bit value, researchers were able to bypass the patch. Exodus, which submitted a bug fix of its own to Google, said it decided to go public with its findings for several reasons, including the fact that the vulnerability was widely publicized by Zimperium before and during Black Hat, not to mention that Google has had the original bug report since April, yet neither party noticed the discrepancy in the patch. The Android security team at Google is having a busy month. Trailrunner7 writes: Researchers at MWR Labs have released information on an unpatched vulnerability that allows an attacker to bypass the Android sandbox.

Ring ring ring

At this point, my next phone will be a bananaphone.

Re:Ring ring ring

You gotta a banana in your ear

What?

You have a banana in your ear!

Huh?

I said, YOU HAVE A BANANA IN YOUR EAR!!

What? I can't hear you! I have a banana in my ear!

Re:Ring ring ring

[davester666]

I believe he is trying to inform you to turn your head 90 degrees and insert it in your mouth.

It's useless to fight the hackers.

My old bag phone is looking better every day...

Exploit?

My question is, has there actually mean a successful exploit of the vulnerability? From the sounds of it address space layout randomisation, present since Android 4.0, would make it very hard if not impossible to execute an exploit. Just interested in what the real threat is and not the hyped up media version.

Re:Exploit?

[phantomfive]

The second one is easily exploitable, but requires that an app send a malicious URL to the admin app. In other words, for it to work, you need to either install a malicious app, or have another app on your device with its own vulnerability.

The first one can be exploited by sending an SMS to a vulnerable device, according to this report. The fundamental flaw here is running the MPEG decoder as a trusted user. Until that changes, there will likely be a steady stream of vulnerabilities.

Re:Exploit?

[swillden]

My question is, has there actually mean a successful exploit of the vulnerability? From the sounds of it address space layout randomisation, present since Android 4.0, would make it very hard if not impossible to execute an exploit. Just interested in what the real threat is and not the hyped up media version.

The weak ASLR in ICS can be worked around, and jduck (finder of the bug) has demonstrated exploiting it. Exploiting it on Jelly Bean or later, which have much better ASLR, would require sending many, many malformed videos trying to randomly hit on an useful address. No one has had any success at that.

Re:Exploit?

[swillden]

The second one is easily exploitable, but requires that an app send a malicious URL to the admin app. In other words, for it to work, you need to either install a malicious app, or have another app on your device with its own vulnerability.

You're talking about the Certifi-gate vulnerability. Another requirement for it to be exploitable is that your device has to have an exploitable remote admin tool installed by the OEM.

The first one can be exploited by sending an SMS to a vulnerable device, according to this report [exodusintel.com]. The fundamental flaw here is running the MPEG decoder as a trusted user. Until that changes, there will likely be a steady stream of vulnerabilities.

That is the stagefright vulnerability. It's exploitable on ICS and below. The patch being pushed to many OEM devices right now fixes it. Exodus is wrong about that because they're looking at only one of the patches applied. Jduck's original patch had a bug, which Google fixed. All of this is visible in AOSP.

Re:Exploit?

In other words, for it to work, you need to either install a malicious app, or have another app on your device with its own vulnerability.
 
Hey, since people here consider the concept of installing malicious HARDWARE as a likely occurrence on OSX I guess this is trivial in nature.

Re:Exploit?

[IamTheRealMike]

That's good to hear. These exploits often don't seem to be as bad as initially suggested. No big surprise there, I guess.

This Google Admin app bug doesn't seem to be a general sandbox bypass as the summary implies. It's not even a bug in Android. One app by Google to let people admin their custom Apps domains will open a URL with an embedded webview, if asked. So then perhaps the embedded web view can be used to exfiltrate files from the Admin app. But are there any sensitive files there to be stolen? The advisory does not say, so I expect the answer is "no".

Well, any OS that lets apps talk to each other can have this sort of issue - it's like blaming Windows for a bug in Firefox. Makes no sense. Probably good for getting attention though.

Avoid Google Phone

Go Samsung safety number 1.

Android is the new Windows XP

It seemed for awhile several years ago that every other day there was a new nasty vulnerability in Windows XP. Some of these got exploited by nasty worms such as Blaster. Part of the issue was that Windows was designed without enough concern for security, something that really has changed in the past several years. But users also weren't installing Windows updates like they needed to, leaving them unprotected from exploits. That forced Microsoft to make some big changes in the design of Windows and to its practices in distributing updates. There are still plenty of Windows vulnerabilities, many of which are critical, but updates get distributed and installed much quicker and by a much larger proportion of the users. I'm less bothered by Android vulnerabilities being found and more concerned about how the patches get distributed. Android is a great target for criminals looking to exploit users because it has a large market share and many devices don't get updates regularly. I'd be far less bothered if I could trust that Samsung and Verizon would push out an update promptly, but that doesn't happen. I don't feel particularly vulnerable just because these security holes are being found; however, I don't trust that my Galaxy Note 4 will get an update pushed out to it in a timely manner. I'm not sure how seriously Google takes this, either, if they're going to wait until next month to release a fix. Microsoft did a lot to address the security issues with Windows. A similar thing needs to happen very soon with Android.

Re:Android is the new Windows XP

Google sucks balls. I can't believe people still put up with this shit.

I recently purchased a Microsoft Lumia 735 (Windows Phone) for $190 when I also bought a $700 (or whatever it was) HTC M9 to replace my old Android phone.

It's fucking comical. The Lumia 735 is way faster than the HTC phone, which is like 3 times as powerful.

My work uses google apps, so I'm pretty much stuck. I also am addicted to one night stands on Tinder. But man - Windows Phone is sweet. I can't believe it doesn't get more love. Incredibly fast, it has almost everything you need other than hookup apps. Yelp, opentable, spotify, microsoft maps or whatever it is works fine.

And, to top it off... there are no security vulnerabilities and Microsoft pushes regular updates.

Re:Android is the new Windows XP

735 faster then M9? Doubt it. Highly anecdotal.

Safer? For the same reason OSX is safer - almost no-one uses it, compared to android. Larger target group makes it much more likely a exploit will be found.

And lastly, "it has almost everything you need....". Almost is the key here, almost. I has most of the most popular apps like twitter, facebook etc. But lacks the really usefull ones like parking apps, bank apps, that hot messaging app etc. List goes on.

And most criticacly - no support for either Apple software (not that android has that either) or google software (no proper gmail, maps, youtube, docs, drive etc).

WP is nice and all but it's way to limited. sure works great for idiots that comes from featurephones that dont use more then the built in apps. but for the masses it's way to limited.

Re:Android is the new Windows XP

The difference is Android users don't even have the option to install fixes.

Re:Android is the new Windows XP

[wannabgeek]

OSX is safer

That statement has not been true for more than a year now. Not with the number of vulnerabilities found in various open source libraries as well as OS X specific vulnerabilities.

Me being the one of 3 people using a Windows Phone

[TheRealQuestor]

Actually can feel a little smug right now. My 30 dollar Lumia 520 running Windows 10 works great and since there aren't really any apps for it I don't have to worry about these apps messing with my phone being a well.. a phone.

Re:Me being the one of 3 people using a Windows Ph

Your smugness is simply arrogance or ignorance. You can bet there are vulnerabilities in WP10 and even without running "apps" you might be vulnerable. Anything other than the core operating system is an "app" anyway.

  If you use an affected Android phone and avoid watching videos linked in SMS you'll be safe as well.

Re: Me being the one of 3 people using a Windows P

At least when a vulnerability is discovered in a Windows 10 based phone, Microsoft can roll out an update using a robust system instead of the circus Android has.

Re:Me being the one of 3 people using a Windows Ph

[binarylarry]

Why not just get a flip phone instead?

It's "just a phone" and will last a week or more without charging.

I wouldn't be surprised if flip phones outsell Windows Phone 10 by a significant margin.

does this mean their exploit test is flawed?

[pkinetics]

In other words, since it is testing for a flaw, because it is based on a flawed requirement, is it reporting a false pass? :)

NSA?

No piece of software is complete without a few NSA backdoors.

Exodus is wrong

[swillden]

Exodus is wrong.

The flawed patch they mention in their post isn't the one being pushed to devices. What makes this funny is that the correct patch is in AOSP, for everyone to see. What Exodus posted is the patch that jduck suggested. And it's in AOSP here. But Google further updated it with this, which fixes the flaw Exodus noticed in jduck's fix.

There are still some known ways to crash libstagefright, but they're assertion crashes. They crash safely, no possibility of exploitation.

Re:Exodus is wrong

Prediction: On 64-bit machines GCC and clang will complain about the comparison (SIZE_MAX < chunk_size) being always false. Then some idiot will remove the code to fix the warning, thus silently breaking 32-bit builds. Alternatively, they'll disable the warning, possibly causing future logic bugs to slip through.

The better fix here would be to not use the magic variable SIZE_MAX, as its use relies on unenforced assumptions about its relationship to the type of the critical expression of interest. One way to do that would be

if (~chunk_size < size) { return ERROR_MALFORMED; }

however that relies on knowing that the width of the type of chunk_size is >= that of size. You could add a static_assert to check that. Or you could do something like

#define E_MAX(E) (~((0)? (E) : 0))
if (E_MAX(chunk_size + size) < size) { return ERROR_MALFORMED; }

What E_MAX does is ensure that 0 is promoted to the type of the expression E, which will be the type of the operand with the maximum width. Presuming this type is unsigned, it's all kosher C (and C++) code. This will be true if chunk_size and size are both unsigned and have a rank greater than or equal to int. E is never evaluated, so it has 0 runtime cost. (There are similar tricks you can do check the signedness of E, allowing you to make the macro more generic, at least for all integer types with a width >= int. Calculating the max of a signed type is more complex, but doable as long as the implementation is consistent about it's choice of representation for all integer type. C only permits 3 possible representation--twos-complement, ones-complement, and signed-magnitude, and you can using similar macro tricks to detect and handle the possibilities.)

Even better, though, would be adding proper allocation functions that correctly handle checking for arithmetic overflow, similar to OpenBSD's reallocarray interface (which handles multiplicative overflow).

Thank goodness the code isn't using _signed_ integers as most C++ programmers seem to recommend. Mixing signedness issues with width issues compounds your problems many fold, particularly in contexts where values < 0 are meaningless or hazardous. But as I mentioned in the parenthetical there are well-defined ways in C to handle some common pitfalls when dealing with signed types.

Re:Exodus is wrong

Thanks.

Re:Exodus is wrong

Correct me if I'm wrong, but according to the AOSP history, it looks like while Nick Kralevich did commit the correct patch to AOSP 6 days ago (that puts it after August 5th when Josh Drake presented at BlackHat), this patch wasn't merged into master until just hours ago today.

Meaning, the OTA updates released last week around the time of Black Hat that are being pushed out have Josh Drake's patch, which was committed over 3 months ago and merged to master 13 days ago.

Re:Exodus is wrong

[swillden]

Patches are sent to OEMs before they're merged to AOSP.

dumbphone

[MrKaos]

With all the downsides maybe it's dumb to have a smart phone. I know that people would be missing out on all those important facebook posts though.

Re:dumbphone

[wannabgeek]

Hey, may be we shouldn't have computers connected to internet, because you know "Hackers"!!!

Seriously, what's with all this paranoia? Yes, mobile OS vendors have probably been lax until now, and once vulnerabilities are found, they will clean up their act, or they will be overthrown in the market by someone who does a better job. Windows used to suck, but now it's much better. I'm sure Android will get there too. That does not mean, we can give them a pass for security vulnerabilities. We should absolutely hold them accountable and publicize the issue so that they know that's not acceptable.

Now, I will get off your lawn.

Re:Me being the one of 3 people using a Windows Ph

[TigerPlish]

Why not just get a flip phone instead?

Because no one makes a flip as beautiful, well-made and small-footprint as the Razr.

That atrocity by LG the other day looks like a Razr with a tacky leather cover glued on to it -- that doesn't count. That's a near copy.

After the Razr, all flips are hopelessly plasticky fragile constructions.

My Razr lasted 6 years. Longest-lived phone i've had.

Google... Heal Thyself

[Dutch+Gun]

From the article:

The flaw was initially reported over 120 days ago to Google, which exceeds even their own 90-day disclosure deadline.

Do you remember them throwing Microsoft under the bus by releasing information about a flaw before it was patched? Yeah. Oops.

In summary, the Stagefright disclosure process was an interesting one to observe. The (un)surprising outcome being that given all the exposure this vulnerability received combined with essentially infinite resources on the vendor side, effective security mitigations were still not deployed. Google employs a tremendously large security staff, so much so that many members dedicate time to audit other vendor’s software and hold them accountable to provide a code fix within a deadline period. If Google cannot demonstrate the ability to successfully remedy a disclosed vulnerability affecting their own customers then what hope do the rest of us have?

I don't particularly dislike Google. I use Android and several of their services. Sometimes, however, their sense of self-satisfaction can get on my nerves, especially when they demonstrate themselves capable of the same flaws as their competitors but don't seem to own up to it.

Patched in Cyanogenmod in tonight's nightlies

[the_humeister]

See the blog post.

Re:Patched in Cyanogenmod in tonight's nightlies

on every one of the phones i've tried cm (xperia arc, xperia mini pro, zte blade 3, xperia z ultra), either the camera wasn't working, or bluetooth, or 3g, or something was broken slightly but just enough to force me to return to stock.

There only ever was ONE custom rom i liked and that was slimkat for the z ultra.

Re:Patched in Cyanogenmod in tonight's nightlies

No one cares about nightlies. Patch it in stable and then we're listening.

Re:Patched in Cyanogenmod in tonight's nightlies

[nnull]

Meanwhile, all those manufacturers barely offer any updates to fix anything. That's why I stay away from them. If it doesn't work with Pacrom or Cyanogenmod, I don't want it. I still have all the Nexus phones on the latest updates, except the Nexus One, I've finally put that phone to rest even though it was still running great. The other manufacturers, the phones barely last a year before they unofficially and silently discontinue it by just not doing any updates at all.

Re:Me being the one of 3 people using a Windows Ph

[pkinetics]

I miss my Nokia 6162. Dropped it in the middle of winter. Found it after spring thaw. Got a Motorola v60i that I only replaced cause they turned off the old cell network. They felt so bad for me, they gave me a new phone free (not the free carrier phone).

Re:Android is the new

In terms of UI, yeah I put it right around Windows XP. I mean most people compare Apple to Android just by looking at the UI. Hell its practically the same, just a few icons and the whole world goes crazy.

Re:Me being the one of 3 people using a Windows Ph

Told you.

Re:dear google.

-1 Factually Wrong: The NSA got ten times more data from one tenth as many users on Yahoo. And they got most of what they got from Google because they directly attacked Google's inter-datacenter fiber, not because Google cooperated.