Android: Zero-Day Can Bypass Admin Sandbox; Remains Vulnerable to Stagefright Post Patch
Android security just got a little worse as of Thursday, when two reports came forward disclosing vulnerabilities that once again plague millions of devices.
The first disclosure came forward regarding Google’s patch for a flaw that allowed attackers to execute malicious code on nearly one billion Android devices with a single text. Seven days following, researchers are reporting Google’s patch is flawed and attackers can still exploit the vulnerability with specially crafted text messagse.
“The patch is 4 lines of code and was (presumably) reviewed by Google engineers prior to shipping,” Joran Gruskovnjak and Aaron Portnoy, who are researchers at security firm Exodus Intelligence, wrote in a blog post Thursday. “The public at large believes the current patch protects them when it in fact does not.”
The code-execution vulnerability lies within Stagefright (CVE-2015-3864), a code library that process video, which is also the name of the flaw. Researchers who discovered the flaw privately reported their finding to Google back in April, and the latest patch has not plugged any of the gaping exploits available. Specifically, malicious MP4 videos that supplied variables with 64-bit lengths were able to overflow the buffer and feed malicious code into the Android memory. Generally, MP4 videos work with 32-bit variable lengths, but security researchers found a rare case where 64-bit lengths could be used.
Buffers act as containers designed to hold a specific amount of data. When the designated amount is exceeded, contents within cannot be executed. In this case, newer versions of Android have introduced a feature known as address space layout randomization, with the sole intention of making overflow exploit harder to execute. The feature works by randomizing the memory locations the malicious code loads into, preventing attack code from being able to call it. Resulting in devices crashing, rather than the code executing. It was also discovered that researchers could bypass the mechanism with more advanced techniques.
As of the time publishing this article, Google is still issuing last week’s patch, both over-the-air and on user computers. It is currently unknown when Google will pull faulty patch and get a correct patch running.
“Google employs a tremendously large security staff, so much so that many members dedicate time to audit other vendor’s software and hold them accountable to provide a code fix within a deadline period,” the two Exodus researchers wrote. “If Google cannot demonstrate the ability to successfully remedy a disclosed vulnerability affecting their own customers then what hope do the rest of us have?”
Secondly, another pair of researchers from security firm MWR Labs disclosed a flaw that allows malicious apps to break out of the Android security sandbox. Android’s sandbox is a key defense in the mobile OS as it isolates passwords and other sensitive information, blocking it from being accessed by another app. The flaw resides in the Android Admin application at com.google.android.apps.enterprise.cpanel, allowing other applications on the device to bypass restrictions and read arbitrary files through the use of symbolic links.
Android’s swatch of vulnerabilities being disclosed is hard for researchers to keep up with, let alone forcing end-users to relentlessly update their device. Fortunately, there are no indications that these vulnerabilities are being actively exploited in the wild. However, Android users should still remain wary as these exploits are still active.
