Stagefright vulnerability (disable MMS auto-download)

[electricpete]

Whether or not you open the message isn't relevant here. The system processes the image regardless, thus the vulnerability. Turning of auto fetch for MMS is the only protection until a fix comes.

When you say not relevant...not clear I understand what is meant by that.

Let's say you have auto fetch disabled. Mms comes in, No thumbnail created. So far so good.

But if you then open the message and try to view the video, the video will be downloaded and media scanner will create the a thumbnail and expose you to the attack, won't it?

Just asking for clarification.

 

[EarlyMon]

When you say not relevant...not clear I understand what is meant by that.

Let's say you have auto fetch disabled. Mms comes in, No thumbnail created. So far so good.

But if you then open the message and try to view the video, the video will be downloaded and media scanner will create the a thumbnail and expose you to the attack, won't it?

Just asking for clarification.

In Hangouts, the thumbnail is going to get created no matter what.

In chompSMS and Textra, no thumbnail is created even when you view a video. (Please verify with your own test.)

However - don't autosave media to the Gallery with chompSMS or Textra, or you're going to get a thumbnail.

The thumbnail creation is where the exploit can occur from what's been published so far by the security firm.

And all assumes that will go from potential threat to actual threat.

 

[Gmash]

I'll worry about it if it ever actually turns out to be a thing. What are the chances I'll be the first person in the world to get attacked lol?

 

[AZgl1500]

I'll worry about if it ever actually turns out to be a thing. What are the chances I'll be the first person in the world to get attacked lol?

yeah, about the only SMS that hits my phone is family or a UPS text saying "your package will be delivered between 0900-0500 today"

 

[lunatic59]

In Hangouts, the thumbnail is going to get created no matter what.

I'm not seeing that. With Auto download unchecked, I get a notification of a new MMS with no thumbnail and even if I tap on the message to download I get and additional prompt to download before anything happens.

 

[EarlyMon]

I'm not seeing that. With Auto download unchecked, I get a notification of a new MMS with no thumbnail and even if I tap on the message to download I get and additional prompt to download before anything happens.

That's what I get for listening to others, I stopped using Hangouts for SMS a few months back.

 

[Curtis1973]

If my memory serves me,it seems you can save your attachment using a file manager as "default viewing app" for images and then tell the file manager (something like root explorer) to not generate thumbnail previews in effect nullifying the thumbnail exploit potentially. But cant be 100% positive it would yield results as intended. In effect the file manager becomes your attachment viewer and not any stock app that would generate the preview thumbnails causing exploit to be triggered...see screenshot of root explorer.

 

[EarlyMon]

Samsung Galaxy Note 4 on Sprint, first to update -

http://www.androidpolice.com/2015/0...ts-android-5-1-1-update-with-stagefright-fix/

 

[codesplice]

New factory images for Nexus devices to fix the vulnerability:
https://developers.google.com/android/nexus/images

This follows Google's commitment to provide monthly security OTAs for Nexus devices for 3 years after release (or 18 months after they stop being sold in the Play Store): http://officialandroid.blogspot.com/2015/08/an-update-to-nexus-devices.html

 

[EarlyMon]

Samsung making a similar commitment.

 

[codesplice]

Samsung making a similar commitment.

Saw that too - very exciting for an OEM to make a commitment like that!

 

[EarlyMon]

Saw that too - very exciting for an OEM to make a commitment like that!

I'm very meh about it.

Makes two bad assumptions -

- US carriers will go along with it

- Perpetuates the idea that monolithic updates from makers is correct

If we learned anything about the WebView scare, it's that the Play Store is the right way to get rapid OS components out where security is concerned, not monolithic updates.

The other reasons I'm meh about it are -

- The fine print on the Samsung statement says that only selected recent devices apply

- We still don't know the actual scope of the problem or the likelihood (susceptibility) of people being actually affected.

Try this test right now - try to send yourself a video MMS of your own making - and note the size limitation from your carrier as you keep cutting down the video size.

Most if not all of you will be limited to 2 MB or less for the file size.

And within that practical limit, a root level exploit has to be packed, then the payload has to be packed - and I'm *very* skeptical that you can jam the life-threatening phone killer with all of the threat features into such a small space.

Which leads me back to a really simple observation - read the original security report again, not a news blog derivative - they came out and said that they proved it with Hangouts - read: no MMS limit - and that it applied to everything else because of the location of the exploit.

But no one has proven that it can be vectored over a carrier-based, normal MMS.

Nor has anyone explained to me why this can't be addressed for everyone with a security scanner packed in to the front end of any texting app.

It's easy to get convinced that software engineering has to be done a certain way once the blogosphere and marketing get involved - but they're not software engineers.

And the truth about software solutions isn't something that we can just believe and vote on based on how Apple, Microsoft, or Linux does updates.

I do know that a great many software engineers are familiar with this quote and subscribe to it -

J.R.R. Tolkien — 'Do not meddle in the affairs of wizards, for they are subtle and quick to anger.'

Perhaps you've heard it before.

 

[EarlyMon]

And just to show that software solutions don't always agree with marketing -

According to the explanation, people need a new Stagefright library.

And according to the conventional wisdom, you can only update core libraries via root or a manufacturer update.

Except, speaking as a very seasoned software engineer, tell me why this wouldn't work, after all, the defect can do anything at the root level without your permission -

Imagine a Google portal where you input your phone number or your Hangouts id.

You go there, make the entry, and Google sends you a video MMS that when you play it says -

Congratulations, we've just installed a new Stagefright library on your phone, you are no longer vulnerable to the famous exploit you've seen in the news.

-----------

No one ever said that the payload had to be malicious.

The payload could be the fixer.

Now imagine marketing being ok with that.

And tell me again that there's only one way to skin this cat.

But you'll have to tell me very carefully before I believe it.

 

[Keith hillyer]

Saw that too - very exciting for an OEM to make a commitment like that!

 

[Unforgiven]

Nor has anyone explained to me why this can't be addressed for everyone with a security scanner packed in to the front end of any texting app.

^^^that

I'm far from the smartest person here at AF when we get into things like this, but I'm also not stupid. Seems to me that there is a lot of this exploit exposed at the point of entry, and that can easily be taken care of via Play updates, removing manufacturers and carriers. Whatever the exploit is the messaging app can simply not execute the exploit code, say, build a better challenge response at the gate. Don't let the Trojan Horse into Troy. It doesn't address the fact that the guards inside the walls of Troy are drunk off thier ass, but they can't be taken advantage of while the horse is sitting outside the wall.

 

[codesplice]

Adding more information/misinformation/confusion to the fire, Google is apparently saying that ASLR already protects devices on Android 4.0+:

Google addressed stagefright specifically, with lead engineer for Android security Adrian Ludwig stating to NPR that "currently, 90 percent of Android devices have a technology called ASLR enabled, which protects users from the issue."

This is very much at odds with the "900 million Android devices are vulnerable" line we have heard. While we aren't going to get into the midst of a war of words and pedantry over the numbers, what Ludwig was saying is that devices running Android 4.0 or higher have protection against a buffer overflow attack built in.

ASLR (Address Space Layout Randomization) is a method that keeps an attacker from reliably finding the function he or she wants to try and exploit by random arrangement of memory address spaces of a process. ASLR has been enabled in the default Linux Kernel since June 2005, and was added to Android with Version 4.0 (Ice Cream Sandwich).

How's that for a mouthful?

What it means is that the key areas of a program or service that's running aren't put into the same place in RAM every time. Putting things into memory at random means any attacker has to guess where to look for the data they want to exploit.

This isn't a perfect fix, and while a general protection mechanism is good, we still need direct patches against known exploits when they arise. Google, Samsung (1), (2) and Alcatel have announced a direct patch for stagefright, and Sony, HTC and LG say they will be releasing update patches in August.

I'm not quite savvy enough to know for sure if that's legit or not, but that's okay, because Zimperium has released a "Stagefright Detector" app to let me know whether or not I'm "infected":

Stagefright has made every Android owner just a little more nervous about using their smartphone. While right now you’re very unlikely to be infected with Stagefright that doesn’t mean it can’t happen in the future while you wait for a patch. In the meantime you may want to test your Android mobile to see if you are infected with Stagefright or if your device is vulnerable to the bug. Zimperium Mobile Security has just pushed out their new application to assist users trying to find out if they’re infected or vulnerable. The app is called, Stagefright Detector.

Stagefright is a critical Android vulnerability. It allows hackers to get system or media privileges of your device when your device is processing an MMS, without need of any end-user action. To make matters worse, MMS can delete itself before you open it. With such potential, Stagefright can wreck havoc on carriers and enterprises using Android devices for business.

Zimperium zLabs expert and VP of Platform Research and Exploitation, Joshua Drake (@jduck) discovered this vulnerability and also provided patches to Google to secure Android. We also provided these patches to carriers and vendors through Zimperium Handset Alliance. While the patches have been applied, it may be years until they reach all devices.

In order to test if your device is vulnerable, Zimperium built the ‘Stagefright Scanner’ app. This app will tell you two major things:

– whether your device is vulnerable

– whether you need to update your mobile Operating System

You can pick up the Stagefright Detector from Google Play.

Of course, some Nexus users who have installed Google's Stagefright-fixing LMY48I OTA/image say that the app still says they're vulnerable.... I'm sure that's because Google half-assed the fix rather than a mobile security vendor trying to get you to install their app.

 

[EarlyMon]

Lol @codesplice, you're killing me.

A number of checkers have sprung up - Play Store search Stagefright - and one root fixer that turns off Stagefright access in the build.prop file (that could cause your phone to not really work right).

Here's the CERT write-up, a little self-serving in the references (Ars Technica writes about the blog so it's a valid source - really??) -

http://www.kb.cert.org/vuls/id/924951

It's almost exactly as I guessed - it's an INTEGER overflow and underflow problem calculating memory use - and if you understand the C programming language you can see the specific patches in the above link.

Today's software money quote from the CERT entry -

"According to patches (see patch one, two, three), the vulnerabilities appear to be multiple integer overflows and underflows, and improper integer overflow checks. Since integer overflow is a type of memory error, Address Space Layout Randomization (ASLR) appears to partially mitigate this issue; Forbes reports that Android before 4.1 (Jelly Bean) have "inadequate exploit mitigations." ASLR was introduced in Android 4.0 and fully enabled in Android 4.1."

Now - let's study the Forbes reference -

http://www.forbes.com/sites/thomasbrewster/2015/07/27/android-text-attacks/

Wait for it...

That report stating that ASLR was not enough simply repeated what Joshua Drake, from Zimperium zLabs said - and was already told last week.

Lack of ASLR coverage extends to less than 5 or 10% of Androids in use according to GSM Arena two days ago.

http://www.gsmarena.com/nearly_onefifth_of_active_android_devices_now_run_lollipop-news-13377.php

Google seems to agree that the ASLR feature makes building the exploit far more difficult.

 

[EarlyMon]

But wait, there's more from zLabs, hot off the presses today -

https://blog.zimperium.com/stagefright-vulnerability-details-stagefright-detector-tool-released/

Great read if you're into tech details.

Btw, new demo from Drake -

Ummm... OK.

And as I've bagged on Ars Technica again, how about we go back and look closely at what zLabs told them. After all, they thought it was important enough to enter into the CERT -

"Still, Drake warned that successful exploits at the very least provide direct access to a phone's audio and camera feeds and to the external storage. Worse still, many older phones grant elevated system privileges to Stagefright code, a design that could allow attackers access to many more device resources.

"The attacker would have remote arbitrary code execution and thus escaping the sandbox is only a small step away," Drake said. He said existing root exploits, including those known PingPongRoot, Towelroot, and put_user, would likely help an attacker break free of the sandbox and gain much wider control over a vulnerable device."

So - break it down -

- Do all devices have the potential to get to higher privileges and more hardware resources? No. Only the older ones. Betcha that ties directly to the ASLR thing.

- Hmm, it says something like Towelroot could be put to work...

First for the rooters - tell me exactly how something like Towelroot is going to execute in the face of SuperSU and not be trapped? I'm not exactly sure, but I questioned earlier in this thread if that were even possible - because I don't believe it.

For the non-rooters - remember what I said yesterday about the size of the message and probable carrier limitations?

Towelroot is only 120 kB - PingPongRoot is 4 MB.

One of the examples given exceeds the available message size for a carrier-based MMS.

 

[codesplice]

Thanks (as always) for the added insight @EarlyMon.

 

[EarlyMon]

Thanks (as always) for the added insight @EarlyMon.

Always a pleasure.

We're all in this together.

 

[AZgl1500]

Kapware is also listing the potentials to this, and are also giving predictions as "when, and if, maybe" your particular OS will ever see an upgrade.

I'm with Verizon, and the chance of me seeing an upgrade is just about zilch.
Yea VZW, never to our rescue...
if only, somewhere in their pea brain, they would quit messing with the Google code and leave it alone.

http://kapware.com/am-i-prone-to-stagefright-android-bug/

 

[EarlyMon]

Kapware claims that you can even get inflected off of the web, while simultaneously pointing out that the exploit has yet to happen and that you're safe from that if you use the latest Firefox.

Ummmm... OK.

Yeah - don't download videos from the web.

What does that tell me that I actually already know?

That piracy - and yes, that includes media piracy - is the number one infection vector for Android - as well as being a real hoot to what it does to PCs.

And what happens when you leave the Firefox sandbox and watch your pirated videos on your normal gallery player?

You get what's coming to you. Sorry, but there it is.

 

[AZgl1500]

Yep, I'm a FireFox user but have NoScript working, Disconnect, and AdBlock, and at the PC level is AdFender.

sometimes, it is hard to get a webpage to even load....so, I just go on and think "I didn't need to see that one anyway."
Strange thing about all of the above defenses I have installed, my Financial Websites have not been effected in anyway.
Credit Union, American Express, Chase Bank, HomeDepot finance site, etc... they all work just fine.

 

[bcrichster]

Here's what I find funny.. 99.9% of ppl didn't even know this exploit existed! Which means that NOW everyone DOES know about it and can try to make use of it. Kind of like the US televising in depth all the holes in national security and now "terrorists" know WHERE & HOW to hit the country. Like.. "Hey, over HERE!"
Bad idea in general for both examples, IMHO.

 

[Blu8]

Not to mention all of the "solutions" that are sure to follow. Fear not good android users, I'm sure some security genius like Cheetah Mobile will find a fix in no time [emoji6]