Android Security Update Includes Fix for Stagefright Vulnerabilities Discovered by Trend Micro

The discovery of the first Stagefright vulnerability last July is turning out to be just the beginning of many security concerns for Android users.

The latest Nexus security bulletin released earlier this month includes updates for 15 remote code execution vulnerabilities related to libstagefright, all tagged as critical. We discovered four of the mentioned vulnerabilities (all affecting Lollipop 5.1 and below):

CVE-2015-3823
CVE-2015-6600
CVE-2015-3871
CVE-2015-3872

Details on the Four Vulnerabilities

CVE-2015-3823

This vulnerability allows attackers to perform denial of service (DoS) attacks on Android’s mediaserver program. This causes a device’s system to reboot and drain all its battery life. This bug is an integer overflow bug in Matroska (MKV) file parsing. It was previously classified as a moderate vulnerability but Google has since raised its classification to critical.

CVE-2015-6600

This bug is related to MP4 file parsing. Specifically, a bound checking is missing when handling the “stsz/stz2” box during MP4 file extraction.

Figure 1. Integer overflow bug when handling “stsz/stz2” box

Since the “max_size” can be controlled by an attacker, a possible integer overflow can happen in the statement in the red block, wherein the meta is misset with the key “kKeyMaxInputSize” containing an unexpected small value.

Figure 2. The unexpected small value is used to allocate heap

Then during MP4 source parsing, the overflowed value is retrieved to allocate heap buffers for further use, leading to a typical heap buffer overflow.

We used a simple PoC to prove this. By using a specifically crafted MP4 file (malformed with the first audio sample size to 0xFFFFFFFF, a heap corruption is detected and the mediaserver crashes when the file is opened.

Figure 3. Sample POC

CVE-2015-3871

This vulnerability is also related to MP4 file parsing. This time, a bound checking is missing when the “mean/name/data” box is handled during MP4 file extraction. Since the “size” can be controlled by an attacker, there is the possibility of an integer overflow when the pointer buffer can be allocated with a zero buffer when “size=SIZE_MAX.”

Figure 4. Integer overflow when “size = SIZE_MAX”

This bug may lead to memory corruption when written to the buffer pointer, and possibly even cause arbitrary code execution.

CVE-2015-3872

This bug lies in the Real Time Streaming Protocol (RTSP ) media buffer frame handling. Since “offset” and “payloadLength” can be maliciously controlled, a possible integer overflow can bypass the sanity check before “memcpy” and finally lead to a heap buffer overflow. An arbitrary code execution is also possible by exploiting this vulnerability.

Figure 5. An integer overflow can bypass sanity check before “memcpy”

Protecting Your Android Devices

We advise users to immediately install updates to their Android devices once they are made available. Installing the latest security patches lessens the possibility of their device being vulnerable to different attacks.

Note that the release of the updates for non-Nexus devices depend on the carriers and manufacturers. Installing security solutions such as Trend Micro Mobile Security (TMMS) which can detect threats trying to use this vulnerability and running any of the scenarios presented, can greatly boost the security of devices.

We also recommend that device manufacturers patch their devices regularly to prevent their users from suffering from attacks that use these vulnerabilities.

Disclosure Timeline

CVE-2015-3823