When the Stagefright vulnerability in Android was first announced on July 27, no proof-of-concept code was publicly released.
Several weeks later, on Aug. 5, Zimperium zLabs Vice President of Platform Research and Exploitation Joshua Drake discussed the Stagefright flaw at the Black Hat USA conference, but still no exploit code was publicly released. That has changed, and the first proof-of-concept exploit code for Stagefright is now publicly accessible.
Stagefright is a vulnerability in the Android Stagefright media library, which is used to process content, including Multimedia Messaging Service (MMS) content. The Stagefright media library is found in Android versions 2.2 and higher, and when Drake first discovered the flaw, hundreds of millions of users were at risk.
Google has since issued patches for the flaws Drake discovered, though new Stagefright flaws, including CVE-3864, which Exodus Intelligence disclosed after the patch, are still a concern.
Zimperium first shared the exploit it released today with approximately 30 device vendors and carriers, Drake said. “Vendors that took measures to protect themselves are not at risk; most devices, however, still are,” he told eWEEK.
It’s not entirely clear how many users today are still at risk from Stagefright. Zimperium has released a Stagefright detector mobile app, which alerts users if they are at risk. Drake noted that data collected from Zimperium’s Stagefright Detector app is in the process of being analyzed. Zimperium is planning a blog post for a later date on what the company has been able to see from the data.
The actual proof-of-concept exploit code that Drake publicly released today is written in the Python programming language, though it isn’t quite a point-and-click weaponized exploit.
“Using this exploit still requires some technical expertise, but obviously it is not as hard as building it in the first place,” Drake said. “In addition, we added a ‘newbie trap’ for the less technically inclined folks out there.”
Drake did not elaborate on what that “newbie trap,” might be. Additionally, the proof-of-concept code was designed to run against a Samsung Galaxy Nexus device running Android 4.0.4.
“We chose this device specifically because of the partial implementation of ASLR [address space layout randomization],” Drake said. “Our line of thinking was that removing variables from the equation would remove some complexity and help us develop the exploit more quickly.”
Released in 2011, Android 4.0.4 is an old version of the operating system. Since Black Hat, Zimperium has been working on an exploit that targets the Nexus 6 running Android 5.1, but the company is not ready to share the details of the Android 5.1 proof-of-concept exploit at this time, Drake said.
ASLR is a technology that Google has claimed will help to mitigate the Stagefright flaw, which Drake admits is partly true. “However, since media server automatically restarts, it is possible to use brute-force tactics to bypass ASLR,” Drake said. “We have confirmed this is possible both via MMS and through the browser.”
ASLR has been bypassed in many exploits in the past, according to Drake. ASLR bypass usually involves a memory disclosure vulnerability or automatic respawning of a process.
While Zimperium and Drake, in particular, have gained a significant amount of notoriety thanks to Stagefright, there is still more mobile research to be done and more discoveries to be announced.
“As a mobile threat protection company, we are constantly looking for holes in mobile operating systems to ensure our customers’ safety from advanced mobile attacks,” Drake said. “Unfortunately, at this point, we cannot share additional details but expect new things soon.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.