STAGEFRIGHTThe Biggest Vulnerability to Android Platforms

Android is very modular operating system. Everything run in separate processes. There are lots of inter-process communications. Android implementts concept of "Sandbox" - modified scheme based on Linux users and groups . The security hole is in android's core media handling library - libstagefright . libstagefright executes inside "MEDIA SERVER" .

Android Architecture

OVERVIEW

The Stagefright vulnerability was first identified by security copmany Zimperium in July 2015. The exploit is able to execute remote code on Android devices and possibly affected upward of 95% of android devices. Stagefright itself is a software library (libstagefright), written in C++, that's built inside the the Android operating system. The analysis says it is susceptible to memory corruption and when a MMS message containing a video was sent to the device it could, if composed in the correct way, activate malicious code inside the device. The exploit is so dangeorus that it can compromise victim's phone without any action being taken from victim -Just by sending a plane MMS. MMS auto retrieves makes it really easy to exploit android phones. So, who has your phone number? Google has released a patch to the bug now. But new development in form of another exploit based on libstagefright has surfaced, known as metaphor.

STAGEFRIGHT EXPLAINED

The mediaserver process runs in the background. It's a native service that's started at boot from /init.rc: As such, the process automatically restarts when it crashes.

PROCESS ARCHITECTURE

Process Privileges (Nexus 5) The last part of the service definition in /init.rc shows the privileges that the service runs with:

This service is highly privileged. Normal android apps cannot request/receive permissions like audio, camera, drmrpc, and mediadrm. Below set of access to media server - can give almost unlimited access.

- inet: can create AF_INET and AF_INET6 sockets (attacker can use this to connect to any hosts on internert)

- net_bt and net_bt_admin: Attacker can access and configure bluetooth on victim device. camera: An attacker can leverage this to control victims camera devices(front and back cam)

- audio : An attacker can leverage this to record, playback and monitor audio.

An attacker can also control storage on victims phone, can reboot adb and get shell access. An attacker can also monitor system server. The MPEG­4 File Format: To understand stagefright vulnerability(CVE-2015-1538) , It will be good to understand structure of an MP4 file. Is a collection of TLV (Type­Length­Value) chunks. This encoding method means there?s a value called ?type? specifying the chunk type, a ?length? value of the data length and a ?chunk? value of the data itself. For MPEG­4, the encoding ?length? is first, then comes ?type? and in the end ?value?. The following pseudo­C describes the MPEG­4 chunk format:

When length is 0, data reaches to end of the file. The atom field is a short string ( also called FourCC) which describes the type of chunk. MPEG-4 chunk which have more information than 2^32 bytes have different structure compared to above TLV. w

So how does this all happen? AwesomePlayer.cpp is a program written in C++, which processes when the media file is played in victims phone. Let's jump into code where the bug effects. It callssetDataSource_l( sp<MediaExtractor>).

setDataSource_l :

It will call MPEG4Extractor::countTracks:

Above code, calls readMetaData :

Above code, calls MPEG4Extractor, lets look into that.

This is where the attack takes place - when the mp4 file is parsed. The code from MPEG4Extactor.cpp - will collect all chunks and appends them into one singular buffer. The problem here is that there is no check on size and chunk_size (they are unchecked). The attacker in stagefright exploits an interger overflow.

Above code snippet, the output in size bytes from data will be written to buffer irrespective of the actual allocated size of buffer. When heap is carefully shaped, the exploitation can be done very easily. In this project, we will be using exploit from exploit-db from Joshua drake of Zimperium labs. Joshua was first to reveal stagefright vulnerability.

CVE-2015-1538

It's a python program exploit, which does the integer overflow and makes a heap overflow. The python exploit will generate a malicious mp4 file, with chunks, size which will make mediaplayer crash and it will reboot again as root. The mp4 file payload also has Attacker's IP address and port on which it will listen on reverse TCPconnection.

Define arguments, so as host for back connection and port number can be defined. This will be used to establish a reverse_tcp connection from victims phone to attacker machine.

This exploit can also be found on Joshua's Github.

Attacker's Machine: We have used Kali linux as attacker machine, due to its flexibility in suing metasploit to manage reverse TCP from victim's phone.

DEVICES USED

Victim phone: We have used one emulated android device on virtual box and one real android device. We have used two devices as victim.

a) Emulated Android device on virtualbox: Android 4.3 b) Real android phone: (not updated to 5.1)

We have used Stagefright detector app on our machine to see if it is vulnerable to stagefright CVE-2015-1538 and the app shows that it's vulnerable.

So, how to leverage the exploit CVE-2015-1538 to generate the mp4 file. - Set up attacker machine b) generate malicious mp4 file - Start a listener (reverse_tcp) on attacker machine - Send the file using attack vectors. - Keep playing after attacker has got the connection.

STEP 1- Set up attacker machine: Check IP address of attacker machine: We have used Kali Linux as attacker machine to compromise victim android phone.

THE ACTUAL ATTACK

Kali linux : 192.168.1.245 | Port to listen : 4444 STEP 2- Generate malicious mp4 file eight:The generated MP4 file can be seen in below screen shot - funny.mp4 a

STEP 3- Start a listener on attacker machine: There are many alternatives to use be it netcat or metasploit. In this project we have used metasploit to to listen on to reverse tcp and perform numerous operations. Metasploit gives lt more functionality in contrast to other utilities, we can get a meterpreter session and perform numerous tasks from accessing cameras, to mic, to get shell access, list process etc.

Let's choose the exploit which we are going to use. Here we are just using handler which can receive a connection back from victim phone.

Setting up a reverse_tcp payload, to receive back connection. Now the configuration needs to be defined. such as LHOST, LPORT (attacker's IP and port to listen on.

After the configuration is set, we need to trigger the listener by using exploit keyword. After being triggered, it will wait for any back connection coming from victim phone to attacker machine at port 4444 which we configured in the malicious mp4 file.

STEP 4- Send the file to victim using numerous attack vectors: In general, number of attack vector is more than 11. MMS: The most dangerous is using MMS, the media file is auto downloaded in victim's phone and parsed thereby victim phone will be compromised without victim knowing it. Web Browser: Attacker can embed malicious mp4 file in a web link, which it could send to victim. If user clicks on the link - the reverse tcp is established. Browser auto download: If browser has capability to auto download a media file. The victim's phone could be compromised. Email: Sending the malicious mp4 file as an email attachment to victim. Social networks: Chat clients such as hangouts, Whatsapp, Facebook messenger can be used to send the link. if auto download is enabled, then victim's phone is compromised. SD card: If attacker has physical access to victim's SD card, it can load mp4 file in sd card, when mounted, it will compromise victim's phone. There are many such possiblities to deliver the mp4 file to victim. The vulnerable code present in mp4 file is invoked many times in Android system. Whenever a thumbnail is rendered or metadata is needed. Rotating the screen, launching the Messaging app , opening Gallery, sharing malicious mp4/media and many more. In this project we have used, Email as attack vector. For victim device we have used - a virtual android

The Mediaserver crashes when playing the video and restarts as root. This sends a back connection to our attacker machine, which is waiting for a connection. STEP 5- Keep playing after attacker has got the connection: After the victim has received the mp4 file and has either downloaded or auto downloaded. Our metasploit gets a back connection and opens a meterpreter session.

Meterpreter session has been opened, we can check whatever processes are running on victim's phone. The command used is ps.

Let's check ipaddress and interface details of our victim phone.

Let's see if we can pull out system info of our victim's phone. sysinfo command in meterpreter provides us system details.

An attacker can also get shell access to victim's phone:

An attacker can check folders and files on android filesystem by giving ls command in shell .

Check if the device is rooted.

An attacker can also dump contacts from victim's phone.

Let's look into the contacts dump file.

An attacker can also control the camera. Webcam_list gives the list of camera available on the device. On our emulated device, there is only back camera configured, with no actual hardware. Let's take a picture from emulated android's camera.

- Update the device: Update your device to latest version of released update. If the update is no t available for a specific device, Install android OS like CyanogenMod.

- Turn off auto download: Partial mitigation is to turn off auto download of media files on all file sharing apps, social media apps, MMS, Browser. This will only protect from the media file executing the remote code automatically, but there are chance is user clicks on the video/downloads the mp4 file. HANGOUT: Disable auto download of messages:

- Open Hangouts- Navigate to top left corner - click on Options on the top left corner.

- Tap Settings -> SMS - In General, if you have HangoutSMS Enabled then in the Advanced uncheck Auto

Retrieve MMS

MITIGATION

Mamoon Ismail Khalid Computer Science Graduate Student

New York University

Parul SharmaCybersecurity Graduate Student

New York University

Sahir Riyaz Khan Cybersecurity Graduate Student

New York University

AUTHORS