by RSS Axelle Apvrille  |  Aug 14, 2015  |  Filed in: Security Research

You've heard about StageFright, right? Where a malicious MMS compromises an Android handset by exploiting vulnerabilities on the phone's mediaserver.

Are you aware that StageFright is not an MMS issue, but an issue with anything that will try to open a malicious MP4? If not, you are now, and I hope I am about to convince you even more thouroughly below...

Telegram

Yes, for instance, StageFright occurs with Telegram. The only (fortunate) difference is that Telegram does not preview the MP4, so it will only crash if you open the video (manual intervention). This is still serious, because an attacker could be tricking you to open the malicious video and get a remote shell on your phone...

Figure 1. I just received the malicious video (PoC) inside the Telegram app

First, you receive the malicious video (Figure 1) on your Telegram account. Clicking on it will trigger StageFright: we get the crash log below (because this PoC does not exploit the vulnerability - it just crashes), while the phone merely complains it cannot play the video (Figure 2).

Figure 2. You get an error when you try to open the video. In reality, you are now compromised!

 

F/libc    (21899): @@@ ABORTING: LIBC: ARGUMENT IS INVALID HEAP ADDRESS IN dlfree addr=0x2a057638
F/libc    (21899): Fatal signal 11 (SIGSEGV) at 0xdeadbaad (code=1), thread 21905 (Binder_1)
I/DEBUG   ( 1198): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG   ( 1198): Build fingerprint: 'motorola/mb526_umts/mb526:4.2.2/JDQ39E/20130709:user/release-keys'
I/DEBUG   ( 1198): Revision: '0'
I/DEBUG   ( 1198): pid: 21899, tid: 21905, name: UNKNOWN  >>> /system/bin/mediaserver <<<
I/DEBUG   ( 1198): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr deadbaad
I/DEBUG   ( 1198):     r0 00000055  r1 40f36858  r2 00000003  r3 deadbaad
I/DEBUG   ( 1198):     r4 400b9228  r5 2a057638  r6 40f36880  r7 400ac802
I/DEBUG   ( 1198):     r8 2a057640  r9 6d6f6f76  sl ffffffff  fp 000002ff
I/DEBUG   ( 1198):     ip 00000000  sp 40f36880  lr 40098c29  pc 4007cfe8  cpsr 00070070
I/DEBUG   ( 1198):     d0  67756265643a6467  d1  0000000000000065
I/DEBUG   ( 1198):     d2  0000000000000072  d3  0000000000000064
I/DEBUG   ( 1198):     d4  006f006900640075  d5  3ff0000000000000

WhatsApp

Similarly, StageFright can be triggered on WhatsApp too. It is just slightly more complicated, because by default WhatsApp lets you send only live video (it opens your camera, captures the video and sends it). It does not let you send a MP4 file (or does it? there is a media search menu but it couldn't find the malicious video on my SD card, but to be honest, I don't use WhatsApp - except for blog posts) wink. So, I resorted to using a WhatsApp add-on called WFS (WhatsApp File Sender) which hides the MP4 file in some audio stream. I sent the malicious MP4 that way, recovered the MP4 using WFS (Figure 3), and clicked on the video... crash logs at Figure 4!

Figure 3. Opening the malicious MP4 sent via WhatsApp

Figure 4. When reading the StageFright PoC sent through WhatsApp, the mediaserver crashes (as expected)

So, although both cases require manual intervention, I hope you are now convinced anything that reads a StageFright video can potentially compromise your phone.

-- the Crypto Girl

 


 

by RSS Axelle Apvrille  |  Aug 14, 2015  |  Filed in: Security Research