Android/StageFright!exploit.CVE20151538
Analysis
The Android/StageFright!exploit.CVExxxxxxxxxx malware refer to the
Android StageFright exploit, discovered end of July 2015.
This collection of exploits affect Android 2.2 and above. They abuse the StageFright library which is responsible for processing media formats.
The vulnerabilities can be exploited by forging a special MMS and sending it to the victim. The exploit results in a full compromise of the phone: remote shell with root privileges on the compromised phone.
Technical Details
The exploits consists in abusing an integer overflow in the libstagefright.so library. For example, a MP4 video with an overflowing tx3g header is sent to the target device and causes a crash of libstagefright.so:
F/libc ( 59): Fatal signal 6 (SIGABRT) at 0x0000003b (code=-6), thread 402 (Binder_2) I/DEBUG ( 54): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** W/NativeCrashListener( 356): Couldn't find ProcessRecord for pid 59 I/DEBUG ( 54): AM write failure (32 / Broken pipe) I/DEBUG ( 54): Build fingerprint: 'generic/sdk/generic:4.4.4/KK/1743154:eng/test-keys' I/DEBUG ( 54): Revision: '0' I/DEBUG ( 54): pid: 59, tid: 402, name: Binder_2 >>> /system/bin/mediaserver <<< I/DEBUG ( 54): signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr -------- I/DEBUG ( 54): r0 00000000 r1 00000192 r2 00000006 r3 00000000 I/DEBUG ( 54): r4 00000006 r5 0000000c r6 00000192 r7 0000010c I/DEBUG ( 54): r8 b8259950 r9 b5d94a60 sl 0005e4a9 fp 00000000 I/DEBUG ( 54): ip 75647461 sp b5d93db0 lr b6ec3ead pc b6ed2e20 cpsr 00000010 I/DEBUG ( 54): d0 3ff0000000000000 d1 4000000000000000 I/DEBUG ( 54): d2 4001540d31d1dd7f d3 3f896225b5dca0c6 I/DEBUG ( 54): d4 3fc31bfb28b94e37 d5 3fdb390135d1ac72 I/DEBUG ( 54): d6 3f9ac5089b2b319a d7 3ecccccd3ecccccd I/DEBUG ( 54): d8 0000000000000000 d9 0000000000000000 I/DEBUG ( 54): d10 0000000000000000 d11 0000000000000000 I/DEBUG ( 54): d12 0000000000000000 d13 0000000000000000 I/DEBUG ( 54): d14 0000000000000000 d15 0000000000000000 I/DEBUG ( 54): scr 20000010 I/DEBUG ( 54): I/DEBUG ( 54): backtrace: I/DEBUG ( 54): #00 pc 00021e20 /system/lib/libc.so (tgkill+12) I/DEBUG ( 54): #01 pc 00012ea9 /system/lib/libc.so (pthread_kill+48) I/DEBUG ( 54): #02 pc 000130bd /system/lib/libc.so (raise+10) I/DEBUG ( 54): #03 pc 00011df3 /system/lib/libc.so I/DEBUG ( 54): #04 pc 000216d4 /system/lib/libc.so (abort+4) I/DEBUG ( 54): #05 pc 00000911 /system/lib/libstdc++.so (operator new(unsigned int)+8) I/DEBUG ( 54): #06 pc 0006357d /system/lib/libstagefright.so (android::MPEG4Extractor::parseChunk(long long*, int)+4416) ...The vulnerabilities concerned are:
- CVE-2015-1538, Google Stagefright MP4 Atom Integer Overflow Remote Code Execution
- CVE-2015-1538 Google Stagefright MP4 Atom Integer Overflow Remote Code Execution
- CVE-2015-1538, Google Stagefright MP4 Atom Integer Overflow Remote Code Execution
- CVE-2015-1538, Google Stagefright MP4 Atom Integer Overflow Remote Code Execution
- CVE-2015-1539, Google Stagefright MP4 Atom Integer Underflow Remote Code Execution
- CVE-2015-3827, Google Stagefright MP4 Atom Integer Underflow Remote Code Execution
- CVE-2015-3826, Google Stagefright 3GPP Metadata Buffer Overread
- CVE-2015-3828, Google Stagefright 3GPP Integer Underflow Remote Code Execution
- CVE-2015-3824, Google Stagefright tx3g MP4 Atom Integer Overflow Remote Code Execution
- CVE-2015-3829, Google Stagefright covr MP4 Atom Integer Overflow Remote Code Execution
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |