Stagefright (bug)

Stagefright
Logo of the Stagefright library bug
CVE identifier(s)CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828, CVE-2015-3829, CVE-2015-3864 (Stagefright 1.0),
CVE-2015-6602 (Stagefright 2.0)
Date discovered27 July 2015; 9 years ago (2015-07-27)
Date patched3 August 2015; 9 years ago (2015-08-03)
DiscovererJoshua Drake (Zimperium)
Affected softwareAndroid 2.2 "Froyo" and later (Stagefright 1.0),
Android 1.5 "Cupcake" to Android 5.1 "Lollipop" (Stagefright 2.0)

Stagefright is the name given to a group of software bugs that affect versions from 2.2 "Froyo" up until 5.1.1 "Lollipop"[1] of the Android operating system exposing an estimated 950 million devices (95% of all Android devices) at the time.[1] The name is taken from the affected library, which among other things, is used to unpack MMS messages.[2] Exploitation of the bug allows an attacker to perform arbitrary operations on the victim's device through remote code execution and privilege escalation.[3] Security researchers demonstrate the bugs with a proof of concept that sends specially crafted MMS messages to the victim device and in most cases requires no end-user actions upon message reception to succeed—the user doesn't have to do anything to 'accept' exploits using the bug; it happens in the background. A phone number is the only information needed to carry out the attack.[4][5][6][1]

The underlying attack vector exploits certain integer overflow vulnerabilities in the Android core component called libstagefright,[7][8][9] which is a complex software library implemented primarily in C++ as part of the Android Open Source Project (AOSP) and used as a backend engine for playing various multimedia formats such as MP4 files.[1][10]

The discovered bugs have been provided with multiple Common Vulnerabilities and Exposures (CVE) identifiers, CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828, CVE-2015-3829 and CVE-2015-3864 (the latter one has been assigned separately from the others), which are collectively referred to as the Stagefright bug.[11][12][13]

In order to exploit the vulnerability one doesn't specifically need an MMS message[14] (which was just an example of using the vulnr for RCE), but any other processing of the specifically crafted media by the vulnerable component is enough, that can be done via the most of applications having to deal with media files but not using own-bundled (which increases size of an app and imposes additional unjustified costs on its developer) pure software (which is slow and not energy efficient) media codecs for that, such as media players/galleries, web browsers (can cause drive-by compromise) and file managers showing thumbnails (can be used for achieving persistence).

  1. ^ a b c d "Experts Found a Unicorn in the Heart of Android". zimperium.com. July 27, 2015. Retrieved July 28, 2015.
  2. ^ "Stagefright: Everything you need to know about Google's Android megabug".
  3. ^ "How to Protect from StageFright Vulnerability". zimperium.com. July 30, 2015. Retrieved July 31, 2015.
  4. ^ Rundle, Michael (July 27, 2015). "'Stagefright' Android bug is the 'worst ever discovered'". Wired. Retrieved July 28, 2015.
  5. ^ Vaughan-Nichols, Steven J. (July 27, 2015). "Stagefright: Just how scary is it for Android users?". ZDNet. Retrieved July 28, 2015.
  6. ^ Hern, Alex (July 28, 2015). "Stagefright: new Android vulnerability dubbed 'heartbleed for mobile'". The Guardian. Retrieved July 29, 2015.
  7. ^ Wassermann, Garret (July 29, 2015). "Vulnerability Note VU#924951 – Android Stagefright contains multiple vulnerabilities". CERT. Retrieved July 31, 2015.
  8. ^ "Android Interfaces: Media". source.android.com. May 8, 2015. Retrieved July 28, 2015.
  9. ^ "platform/frameworks/av: media/libstagefright". android.googlesource.com. July 28, 2015. Retrieved July 31, 2015.
  10. ^ Kumar, Mohit (July 27, 2015). "Simple Text Message to Hack Any Android Phone Remotely". thehackernews.com. Retrieved July 28, 2015.
  11. ^ Hackett, Robert (July 28, 2015). "Stagefright: Everything you need to know about Google's Android megabug". Fortune. Retrieved July 29, 2015.
  12. ^ "Stagefright: Vulnerability Details, Stagefright Detector tool released". zimperium.com. August 5, 2015. Retrieved August 25, 2015.
  13. ^ Gruskovnjak, Jordan; Portnoy, Aaron (August 13, 2015). "Stagefright: Mission Accomplished?". exodusintel.com. Retrieved October 8, 2015.
  14. ^ "Stagefright Detector - Apps on Google Play".