Last year, we disclosed a series of critical vulnerabilities within Android’s multimedia processing code — libstagefright. We promised to release the exploit for testing purposes and quickly published our exploit for CVE-2015-1538 targeting the Galaxy Nexus running Android 4.0.4. We delivered this exploit via MMS to help carriers simulate and block a potential MMS-based worm scenario. We are now ready to release our browser-based CVE-2015-3864 exploit for testing, but first let’s look at what prompted this decision.
The Impact on Android
Google responded quickly when we first notified them of the vulnerabilities we discovered. They:
quickly accepted patches provided to AOSPupdated the Hangouts and Messenger apps to remove automatic media processingstarted releasing monthly Nexus updates and bulletins andpushed OEMs and carriers to improve the way they handle and remediate vulnerabilities
Despite improvements in the ecosystem (kudos where deserved), updating Android devices remains a challenge and leaves many end users’ handsets exposed to serious vulnerabilities. Multimedia-related vulnerabilities have made an appearance in every Nexus/Android Security Bulletin to date. The most recent Android Security Bulletin in September included 11 vulnerabilities that affected Mediaserver amongst the 55 CVEs referenced. Prior to that, 460 CVEs affecting the Android platform (159 critical, 191 high, 68 moderate, and 5 with low severity) had been disclosed. Usually, an attacker needs between one and five vulnerabilities to take full control over a device. Keeping devices updated has never been more important.
Google’s Android Security Team has invested heavily in responding to media-related security problems by hardening Mediaserver (and the OS too) significantly in Android Nougat. Unfortunately, the adoption rate of new versions of Android is very slow. Nearly one year after its initial release, Android Marshmallow (6.0) is only running on 18.7% of devices in the ecosystem. If this trend continues, Android Nougat will only be used on roughly the same number of devices this time next year. Any device not updated will not benefit from a majority of the improvements Google has made in response to our (and others’) research related to multimedia processing. We implore those responsible for releasing updates to do whatever possible to rectify this situation.
The latest effort, undertaken by our Joshua J. Drake, culminated in a Metasploit-module that exploits CVE-2015-3864 via the Web browser. This module is able to exploit a vulnerable device using only three quick HTTP requests and supports 29 different device/firmware versions simultaneously — a significant improvement over the Metaphor exploit. We collaborated with Rapid7 to integrate with the very recent “mettle” payload developed by the Metasploit team. This payload executes purely in memory, which allows operating within the SELinux policy that restricts mediaserver on Android 5.x to yield a meterpreter session. An asciicast demonstration is available athttps://asciinema.org/a/8jlbdq006wsnkqewvcaf05wva
P.S.best way is to update your security patch level released by google