Zimperium is releasing its working Stagefright exploit code, which proves that the Stagefright vulnerability can allow Remote Code Execution without user interaction.
Zimperium said that it is publishing the code so that administrators and penetration testers may validate the effectiveness of the Android community’s response—and that it has already postponed the release of the exploit twice at the behest of carriers and device manufacturers. Its interest now, it said, is in “waking the ecosystem and forcing it to realize updates must distribute more timely.”
As we originally reported, Stagefright allows hackers to gain complete control over an Android device, just by sending a certain kind of file to the recipient—who doesn’t even have to open it for it to open the door to attackers.
Hackers can send an MMS to access phones, or devices can be infected using malicious video files that auto-play when opening a website. Once the video has played, attackers can bypass the disabling of auto-play videos in Chrome and gain complete control of the device. Malicious apps or MP4 files can also be built to exploit the vulnerability. Once they are downloaded and opened, attackers can take over.
“Google released new versions of Hangouts and Messenger to block automatic processing of multimedia files arriving via MMS,” the company said in a blog post. “We’ve tested these updated versions and are happy to confirm they prevent unassisted remote exploitation. However, this attack vector constituted only the worst of more than 10 different ways potentially malicious media is processed by the Stagefright library. With these other vectors still present, the importance of fixing issues within the code base remains very high.”
During the months of June and July, Zimperium zLabs’ vice president of platform research and exploitation, Joshua Drake, developed a working exploit to show that the Stagefright vulnerability can allow Remote Code Execution (RCE) without user interaction. It uses a python script that generates an MP4 exploiting one of the most critical vulnerabilities we reported in the Stagefright library. The expected result of the exploit is a reverse shell as the media user. As detailed in Joshua Drake’s Black Hat and DEF CON presentations, this user also has access to quite a few groups such as inet, audio, camera, and mediadrm. These groups allow an attacker to take pictures or listen to the microphone remotely without exploiting additional vulnerabilities.
Industry response is likely to be passionate. It should be noted that the code is not a generic exploit; Zimperium tested it to work only on the Galaxy Nexus device running Android 4.0.4 containing only a partial implementation of ASLR.