Google flubs patch for Stagefright security bug in 950 million Androids

Update flawed, new one needed for countless gadgets

Google's security update to fix the Stagefright vulnerability in millions of Android smartphones is buggy – and a new patch is needed.

The Stagefright flaw is named after a component within the Android operating system that, among other things, processes incoming text messages that contain video clips. By sending a vulnerable Android device a specially crafted multimedia message, it is possible to inject and execute malicious code on that gadget. It affects Android 2.2 to 5.1, so about 950 million devices. Version 4.1 and later have defenses to limit some of the damage that can be done.

If you're a Nexus owner, the Stagefright security update should already be installed on your Android device. However, of the six patches in the bundle, one needs more work – meaning, patched devices are still potentially vulnerable to attack via Stagefright.

Researchers at Exodus Intelligence spotted a mistake in this particular source-code tweak, and crafted an MP4 video file to prove the patched Android library is still vulnerable. The Stagefright library crashes when trying to open that data in a multimedia message, and the team say the programming blunder is exploitable.

Exodus warned Google about it on August 7, and today published code showing how it's done because "Google is still distributing the faulty patch to Android devices via over-the-air updates." The vulnerability has been assigned CVE-2015-3864.

"There has been an inordinate amount of attention drawn to the bug – we believe we are likely not the only ones to have noticed it is flawed. Others may have malicious intentions," Exodus warned in a blog post.

"Google employs a tremendously large security staff, so much so that many members dedicate time to audit other vendor’s software and hold them accountable to provide a code fix within a deadline period. If Google cannot demonstrate the ability to successfully remedy a disclosed vulnerability affecting their own customers then what hope do the rest of us have?"

Where it went wrong

The problem lies in this code in the Stagefright library:

uint64_t chunk_size = ntohl(hdr[0]); 
int32_t chunk_type = ntohl(hdr[1]); 
off64_t data_offset = *offset + 8; 
if (chunk_size == 1) { 
   if (mDataSource->readAt(*offset + 8, &chunk_size, 8) < 8) {
      return ERROR_IO;
   chunk_size = ntoh64(chunk_size);

The variable chunk_size is read from the video file's data, and if is equal to 1, its value is replaced by a 64-bit value again loaded from the video data. Later on, we reach this code. SIZE_MAX is a 32-bit value, 0xFFFFFFFF.

if (SIZE_MAX - chunk_size <= size) {

If chunk_size, a 64-bit unsigned integer, is greater than SIZE_MAX, the check is bypassed. The value is then added to a size variable, truncated to a 32-bit integer, and used to read too much data into another buffer, triggering a fault and a crash.

Even if this can only be exploited as a denial-of-service attack on someone, Exodus wanted to make the point that Google should have spotted this basic integer overflow bug before releasing the patch.

Google engineers have worked out a fix for the borked patch and are busy pushing it out to Nexus devices. It has also been posted on the Android Open Source Project, and other handset vendors will bundle it in with their next security update.

"Currently over 90 per cent of Android devices have a technology called ASLR enabled, which protects users from this issue," a Google spokesperson told The Register, seemingly oblivious to the fact that ASLR can be bypassed by exploiting other bugs in the operating system.

"We've already sent the fix to our partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA update in the September monthly security update," the spokesgoogler added.

It's now up to other handset vendors to cover their users' asses, but so far there have been a lot of words and very little action. Motorola users here in Vulture West are still waiting for their original patch, and anecdotal evidence suggests other vendors are being just as tardy.

The monthly software updates for Android arranged by Google in light of the Stagefright bug release were lauded by many as a sensible idea. But whether handset vendors will live up to their promises remains to be seen. ®

Similar topics

Other stories you might like

  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading

Biting the hand that feeds IT © 1998–2022