Android/StageFright!exploit.CVE20151538

description-logoAnalysis

The Android/StageFright!exploit.CVExxxxxxxxxx malware refer to the Android StageFright exploit, discovered end of July 2015.
This collection of exploits affect Android 2.2 and above. They abuse the StageFright library which is responsible for processing media formats.
The vulnerabilities can be exploited by forging a special MMS and sending it to the victim. The exploit results in a full compromise of the phone: remote shell with root privileges on the compromised phone.

Technical Details


The exploits consists in abusing an integer overflow in the libstagefright.so library. For example, a MP4 video with an overflowing tx3g header is sent to the target device and causes a crash of libstagefright.so:
F/libc    (   59): Fatal signal 6 (SIGABRT) at 0x0000003b (code=-6), thread 402 (Binder_2)
I/DEBUG   (   54): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
W/NativeCrashListener(  356): Couldn't find ProcessRecord for pid 59
I/DEBUG   (   54): AM write failure (32 / Broken pipe)
I/DEBUG   (   54): Build fingerprint: 'generic/sdk/generic:4.4.4/KK/1743154:eng/test-keys'
I/DEBUG   (   54): Revision: '0'
I/DEBUG   (   54): pid: 59, tid: 402, name: Binder_2  >>> /system/bin/mediaserver <<<
I/DEBUG   (   54): signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
I/DEBUG   (   54):     r0 00000000  r1 00000192  r2 00000006  r3 00000000
I/DEBUG   (   54):     r4 00000006  r5 0000000c  r6 00000192  r7 0000010c
I/DEBUG   (   54):     r8 b8259950  r9 b5d94a60  sl 0005e4a9  fp 00000000
I/DEBUG   (   54):     ip 75647461  sp b5d93db0  lr b6ec3ead  pc b6ed2e20  cpsr 00000010
I/DEBUG   (   54):     d0  3ff0000000000000  d1  4000000000000000
I/DEBUG   (   54):     d2  4001540d31d1dd7f  d3  3f896225b5dca0c6
I/DEBUG   (   54):     d4  3fc31bfb28b94e37  d5  3fdb390135d1ac72
I/DEBUG   (   54):     d6  3f9ac5089b2b319a  d7  3ecccccd3ecccccd
I/DEBUG   (   54):     d8  0000000000000000  d9  0000000000000000
I/DEBUG   (   54):     d10 0000000000000000  d11 0000000000000000
I/DEBUG   (   54):     d12 0000000000000000  d13 0000000000000000
I/DEBUG   (   54):     d14 0000000000000000  d15 0000000000000000
I/DEBUG   (   54):     scr 20000010
I/DEBUG   (   54): 
I/DEBUG   (   54): backtrace:
I/DEBUG   (   54):     #00  pc 00021e20  /system/lib/libc.so (tgkill+12)
I/DEBUG   (   54):     #01  pc 00012ea9  /system/lib/libc.so (pthread_kill+48)
I/DEBUG   (   54):     #02  pc 000130bd  /system/lib/libc.so (raise+10)
I/DEBUG   (   54):     #03  pc 00011df3  /system/lib/libc.so
I/DEBUG   (   54):     #04  pc 000216d4  /system/lib/libc.so (abort+4)
I/DEBUG   (   54):     #05  pc 00000911  /system/lib/libstdc++.so (operator new(unsigned int)+8)
I/DEBUG   (   54):     #06  pc 0006357d  /system/lib/libstagefright.so (android::MPEG4Extractor::parseChunk(long long*, int)+4416)
...
The vulnerabilities concerned are:
  • CVE-2015-1538, Google Stagefright MP4 Atom Integer Overflow Remote Code Execution
  • CVE-2015-1538 Google Stagefright MP4 Atom Integer Overflow Remote Code Execution
  • CVE-2015-1538, Google Stagefright MP4 Atom Integer Overflow Remote Code Execution
  • CVE-2015-1538, Google Stagefright MP4 Atom Integer Overflow Remote Code Execution
  • CVE-2015-1539, Google Stagefright MP4 Atom Integer Underflow Remote Code Execution
  • CVE-2015-3827, Google Stagefright MP4 Atom Integer Underflow Remote Code Execution
  • CVE-2015-3826, Google Stagefright 3GPP Metadata Buffer Overread
  • CVE-2015-3828, Google Stagefright 3GPP Integer Underflow Remote Code Execution
  • CVE-2015-3824, Google Stagefright tx3g MP4 Atom Integer Overflow Remote Code Execution
  • CVE-2015-3829, Google Stagefright covr MP4 Atom Integer Overflow Remote Code Execution

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR