SlideShare a Scribd company logo

Stagefright (1)

M
Mamoon Ismail Khalid

The document discusses the Stagefright vulnerability in Android devices. It describes how a specially crafted MP4 file can exploit a bug in the Stagefright media library and execute remote code on Android devices without any action from the user. The vulnerability affected over 95% of Android devices. It explains how the exploit works by triggering a buffer overflow using malformed MP4 chunks, and demonstrates compromising an Android device by sending a malicious MP4 file that establishes a reverse TCP connection to give the attacker access to files, contacts and the camera on the victim's device.

1 of 19
Download to read offline
STAGEFRIGHT The Biggest Vulnerability to Android Platforms
Android is very modular operating system. Everything run in separate processes. There are lots of inter-process communications. Android implementts concept of "Sandbox" - modified scheme based on Linux users and groups . The security hole is in android's core media handling library - libstagefright . libstagefright executes inside "MEDIA SERVER" . Android Architecture OVERVIEW
The Stagefright vulnerability was first identified by security copmany Zimperium in July 2015. The exploit is able to execute remote code on Android devices and possibly affected upward of 95% of android devices. Stagefright itself is a software library (libstagefright), written in C++, that's built inside the the Android operating system. The analysis says it is susceptible to memory corruption and when a MMS message containing a video was sent to the device it could, if composed in the correct way, activate malicious code inside the device. The exploit is so dangeorus that it can compromise victim's phone without any action being taken from victim -Just by sending a plane MMS. MMSauto retrieves makes it really easy to exploit android phones. So, who has your phone number? Google has released a patch to the bug now. But new development in form of another exploit based on libstagefright has surfaced, known as metaphor. STAGEFRIGHT EXPLAINED
The mediaserver process runs in the background. It's a native service that's started at boot from /init.rc: As such, the process automatically restarts when it crashes. PROCESS ARCHITECTURE Process Privileges (Nexus 5) The last part of the service definition in /init.rc shows the privileges that the service runs with: This service is highly privileged. Normal android apps cannot request/receive permissions like audio, camera, drmrpc, and mediadrm. Below set of access to media server - can give almost unlimited access. - inet: can create AF_INET and AF_INET6 sockets (attacker can use this to connect to any hosts on internert) - net_bt and net_bt_admin: Attacker can access and configure bluetooth on victim device. camera: An attacker can leverage this to control victims camera devices(front and back cam) - audio : An attacker can leverage this to record, playback and monitor audio.
An attacker can also control storage on victims phone, can reboot adb and get shell access. An attacker can also monitor system server. The MPEG-4 File Format: To understand stagefright vulnerability(CVE-2015-1538) , It will be good to understand structure of an MP4 file. Is a collection of TLV (Type-Length-Value) chunks. This encoding method means there?s a value called ?type?specifying the chunk type, a ?length?value of the data length and a ?chunk?value of the data itself. For MPEG-4, the encoding ?length?is first, then comes ?type?and in the end ?value?. The following pseudo-Cdescribes the MPEG-4 chunk format: When length is 0, data reaches to end of the file. The atom field is a short string ( also called FourCC) which describes the type of chunk. MPEG-4 chunk which have more information than 2^32 bytes have different structure compared to above TLV. w
So how does this all happen? AwesomePlayer.cpp is a program written in C++, which processes when the media file is played in victims phone. Let's jump into code where the bug effects. It calls setDataSource_l( sp<MediaExtractor>). setDataSource_l : It will call MPEG4Extractor::countTracks: Above code, calls readMetaData : Above code, calls MPEG4Extractor, lets look into that.
This is where the attack takes place - when the mp4 file is parsed. The code from MPEG4Extactor.cpp - will collect all chunks and appends them into one singular buffer. The problem here is that there is no check on size and chunk_size (they are unchecked). The attacker in stagefright exploits an interger overflow. Above code snippet, the output in size bytes from data will be written to buffer irrespective of the actual allocated size of buffer. When heap is carefully shaped, the exploitation can be done very easily. In this project, we will be using exploit from exploit-db from Joshua drake of Zimperium labs. Joshua was first to reveal stagefright vulnerability.
CVE-2015-1538 It's a python program exploit, which does the integer overflow and makes a heap overflow. The python exploit will generate a malicious mp4 file, with chunks, size which will make mediaplayer crash and it will reboot again as root. The mp4 file payload also has Attacker's IP address and port on which it will listen on reverse TCPconnection. Define arguments, so as host for back connection and port number can be defined. This will be used to establish a reverse_tcp connection from victims phone to attacker machine. This exploit can also be found on Joshua's Github.
Attacker's Machine: We have used Kali linux as attacker machine, due to its flexibility in suing metasploit to manage reverse TCPfrom victim's phone. DEVICES USED Victim phone: We have used one emulated android device on virtual box and one real android device. We have used two devices as victim. a) Emulated Android device on virtualbox: Android 4.3 b) Real android phone: (not updated to 5.1)
We have used Stagefright detector app on our machine to see if it is vulnerable to stagefright CVE-2015-1538 and the app shows that it's vulnerable.
So, how to leverage the exploit CVE-2015-1538 to generate the mp4 file. - Set up attacker machine b) generate malicious mp4 file - Start a listener (reverse_tcp) on attacker machine - Send the file using attack vectors. - Keep playing after attacker has got the connection. STEP 1- Set up attacker machine: Check IP address of attacker machine: We have used Kali Linux as attacker machine to compromise victim android phone. THE ACTUAL ATTACK Kali linux : 192.168.1.245 | Port to listen : 4444 STEP 2- Generate malicious mp4 file eight:The generated MP4 file can be seen in below screen shot - funny.mp4 a
STEP 3- Start a listener on attacker machine: There are many alternatives to use be it netcat or metasploit. In this project we have used metasploit to to listen on to reverse tcp and perform numerous operations. Metasploit gives lt more functionality in contrast to other utilities, we can get a meterpreter session and perform numerous tasks from accessing cameras, to mic, to get shell access, list process etc. Let's choose the exploit which we are going to use. Here we are just using handler which can receive a connection back from victim phone. Setting up a reverse_tcp payload, to receive back connection. Now the configuration needs to be defined. such as LHOST,LPORT(attacker's IPand port to listen on. After the configuration is set, we need to trigger the listener by using exploit keyword. After being triggered, it will wait for any back connection coming from victim phone to attacker machine at port 4444 which we configured in the malicious mp4 file.
STEP 4- Send the file to victim using numerous attack vectors: In general, number of attack vector is more than 11. MMS: The most dangerous is using MMS, the media file is auto downloaded in victim's phone and parsed thereby victim phone will be compromised without victim knowing it. Web Browser: Attacker can embed malicious mp4 file in a web link, which it could send to victim. If user clicks on the link - the reverse tcp is established. Browser auto download: If browser has capability to auto download a media file. The victim's phone could be compromised. Email: Sending the malicious mp4 file as an email attachment to victim. Social networks: Chat clients such as hangouts, Whatsapp, Facebook messenger can be used to send the link. if auto download is enabled, then victim's phone is compromised. SD card: If attacker has physical access to victim's SD card, it can load mp4 file in sd card, when mounted, it will compromise victim's phone. There are many such possiblities to deliver the mp4 file to victim. The vulnerable code present in mp4 file is invoked many times in Android system. Whenever a thumbnail is rendered or metadata is needed. Rotating the screen, launching the Messaging app , opening Gallery, sharing malicious mp4/media and many more. In this project we have used, Email as attack vector. For victim device we have used - a virtual android
The Mediaserver crashes when playing the video and restarts as root. This sends a back connection to our attacker machine, which is waiting for a connection. STEP 5- Keep playing after attacker has got the connection: After the victim has received the mp4 file and has either downloaded or auto downloaded. Our metasploit gets a back connection and opens a meterpreter session.
Meterpreter session has been opened, we can check whatever processes are running on victim's phone. The command used is ps. Let's check ipaddress and interface details of our victim phone.
Let's see if we can pull out system info of our victim's phone. sysinfo command in meterpreter provides us system details. An attacker can also get shell access to victim's phone: An attacker can check folders and files on android filesystem by giving ls command in shell . Check if the device is rooted. An attacker can also dump contacts from victim's phone.
Let's look into the contacts dump file. An attacker can also control the camera. Webcam_list gives the list of camera available on the device. On our emulated device, there is only back camera configured, with no actual hardware. Let's take a picture from emulated android's camera.
- Update the device: Update your device to latest version of released update. If the update is no t available for a specific device, Install android OSlike CyanogenMod. - Turn off auto download: Partial mitigation is to turn off auto download of media files on all file sharing apps, social media apps, MMS, Browser. This will only protect from the media file executing the remote code automatically, but there are chance is user clicks on the video/downloads the mp4 file. HANGOUT: Disable auto download of messages: - Open Hangouts - Navigate to top left corner - click on Options on the top left corner. - Tap Settings ->SMS - In General, if you have HangoutSMSEnabled then in the Advanced uncheck Auto Retrieve MMS MITIGATION
Mamoon Ismail Khalid Computer Science Graduate Student New York University Parul Sharma Cybersecurity Graduate Student New York University Sahir Riyaz Khan Cybersecurity Graduate Student New York University AUTHORS

Recommended

FreeRTOS
FreeRTOSFreeRTOS
FreeRTOS
Jean-Victor Famy
 
Windows internals Essentials
Windows internals EssentialsWindows internals Essentials
Windows internals Essentials
John Ombagi
 
Installing Ubuntu
Installing UbuntuInstalling Ubuntu
Installing Ubuntu
NehaAvinashDeshmukh
 
Ex200
Ex200Ex200
Ex200
teguh imanto
 
Introduction to char device driver
Introduction to char device driverIntroduction to char device driver
Introduction to char device driver
Vandana Salve
 
FIREWALL PROJECT.pptx BY SAKSHI SOLAPURE
FIREWALL PROJECT.pptx BY SAKSHI SOLAPUREFIREWALL PROJECT.pptx BY SAKSHI SOLAPURE
FIREWALL PROJECT.pptx BY SAKSHI SOLAPURE
SakshiSolapure1
 
Standardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-VStandardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-V
RISC-V International
 
Linux Device Driver’s
Linux Device Driver’sLinux Device Driver’s
Linux Device Driver’s
Rashmi Warghade
 

Recommended

FreeRTOS
FreeRTOSFreeRTOS
FreeRTOS
Jean-Victor Famy
 
Windows internals Essentials
Windows internals EssentialsWindows internals Essentials
Windows internals Essentials
John Ombagi
 
Installing Ubuntu
Installing UbuntuInstalling Ubuntu
Installing Ubuntu
NehaAvinashDeshmukh
 
Ex200
Ex200Ex200
Ex200
teguh imanto
 
Introduction to char device driver
Introduction to char device driverIntroduction to char device driver
Introduction to char device driver
Vandana Salve
 
FIREWALL PROJECT.pptx BY SAKSHI SOLAPURE
FIREWALL PROJECT.pptx BY SAKSHI SOLAPUREFIREWALL PROJECT.pptx BY SAKSHI SOLAPURE
FIREWALL PROJECT.pptx BY SAKSHI SOLAPURE
SakshiSolapure1
 
Standardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-VStandardizing the tee with global platform and RISC-V
Standardizing the tee with global platform and RISC-V
RISC-V International
 
Linux Device Driver’s
Linux Device Driver’sLinux Device Driver’s
Linux Device Driver’s
Rashmi Warghade
 
Enrutamiento Stack Doble
Enrutamiento Stack DobleEnrutamiento Stack Doble
Enrutamiento Stack Doble
bramstoker
 
Linux Kernel Init Process
Linux Kernel Init ProcessLinux Kernel Init Process
Linux Kernel Init Process
Kernel TLV
 
JMI Techtalk: 한재근 - How to use GPU for developing AI
JMI Techtalk: 한재근 - How to use GPU for developing AIJMI Techtalk: 한재근 - How to use GPU for developing AI
JMI Techtalk: 한재근 - How to use GPU for developing AI
Lablup Inc.
 
DDOS Attack
DDOS Attack DDOS Attack
DDOS Attack
Ahmed Salama
 
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...Donato Onofri
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
 
How to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ngHow to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ng
Open Knowledge Nepal
 
PE File Format
PE File FormatPE File Format
PE File Format
n|u - The Open Security Community
 
Why xen slides
Why xen slidesWhy xen slides
Why xen slidesThe Linux Foundation
 
Wireless Attacks
Wireless AttacksWireless Attacks
Wireless Attacks
primeteacher32
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Scott Sutherland
 
Network intrusion detection system and analysis
Network intrusion detection system and analysisNetwork intrusion detection system and analysis
Network intrusion detection system and analysisBikrant Gautam
 
NodeMCU 0.9 Manual using Arduino IDE
NodeMCU 0.9 Manual using Arduino IDENodeMCU 0.9 Manual using Arduino IDE
NodeMCU 0.9 Manual using Arduino IDE
Subhadra Sundar Chakraborty
 
Process Scheduler and Balancer in Linux Kernel
Process Scheduler and Balancer in Linux KernelProcess Scheduler and Balancer in Linux Kernel
Process Scheduler and Balancer in Linux Kernel
Haifeng Li
 
Webinaire : sécurité informatique sur le web - Jérôme Thémée
Webinaire : sécurité informatique sur le web - Jérôme ThéméeWebinaire : sécurité informatique sur le web - Jérôme Thémée
Webinaire : sécurité informatique sur le web - Jérôme Thémée
Marie Tapia
 
Android graphic system (SurfaceFlinger) : Design Pattern's perspective
Android graphic system (SurfaceFlinger) : Design Pattern's perspectiveAndroid graphic system (SurfaceFlinger) : Design Pattern's perspective
Android graphic system (SurfaceFlinger) : Design Pattern's perspective
Bin Chen
 
Red Hat Certified Engineer (RHCE) EX294 Exam Questions
Red Hat Certified Engineer (RHCE) EX294 Exam QuestionsRed Hat Certified Engineer (RHCE) EX294 Exam Questions
Red Hat Certified Engineer (RHCE) EX294 Exam Questions
Study Material
 
Ataque DNS spoofing con Kali Linux
Ataque DNS spoofing con Kali LinuxAtaque DNS spoofing con Kali Linux
Ataque DNS spoofing con Kali Linux
Carlos Otero
 
HACKING
HACKINGHACKING
HACKING
D's Surti
 
EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22
MichaelM85042
 
Media Files : Android's New Nightmare
Media Files : Android's New NightmareMedia Files : Android's New Nightmare
Media Files : Android's New Nightmare
Oguzhan Topgul
 
Farewell, Stagefright bugs!
Farewell, Stagefright bugs!Farewell, Stagefright bugs!
Farewell, Stagefright bugs!
Tsukasa Oi
 

More Related Content

What's hot

Enrutamiento Stack Doble
Enrutamiento Stack DobleEnrutamiento Stack Doble
Enrutamiento Stack Doble
bramstoker
 
Linux Kernel Init Process
Linux Kernel Init ProcessLinux Kernel Init Process
Linux Kernel Init Process
Kernel TLV
 
JMI Techtalk: 한재근 - How to use GPU for developing AI
JMI Techtalk: 한재근 - How to use GPU for developing AIJMI Techtalk: 한재근 - How to use GPU for developing AI
JMI Techtalk: 한재근 - How to use GPU for developing AI
Lablup Inc.
 
DDOS Attack
DDOS Attack DDOS Attack
DDOS Attack
Ahmed Salama
 
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...Donato Onofri
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
 
How to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ngHow to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ng
Open Knowledge Nepal
 
PE File Format
PE File FormatPE File Format
PE File Format
n|u - The Open Security Community
 
Wireless Attacks
Wireless AttacksWireless Attacks
Wireless Attacks
primeteacher32
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
Scott Sutherland
 
Network intrusion detection system and analysis
Network intrusion detection system and analysisNetwork intrusion detection system and analysis
Network intrusion detection system and analysisBikrant Gautam
 
NodeMCU 0.9 Manual using Arduino IDE
NodeMCU 0.9 Manual using Arduino IDENodeMCU 0.9 Manual using Arduino IDE
NodeMCU 0.9 Manual using Arduino IDE
Subhadra Sundar Chakraborty
 
Process Scheduler and Balancer in Linux Kernel
Process Scheduler and Balancer in Linux KernelProcess Scheduler and Balancer in Linux Kernel
Process Scheduler and Balancer in Linux Kernel
Haifeng Li
 
Webinaire : sécurité informatique sur le web - Jérôme Thémée
Webinaire : sécurité informatique sur le web - Jérôme ThéméeWebinaire : sécurité informatique sur le web - Jérôme Thémée
Webinaire : sécurité informatique sur le web - Jérôme Thémée
Marie Tapia
 
Android graphic system (SurfaceFlinger) : Design Pattern's perspective
Android graphic system (SurfaceFlinger) : Design Pattern's perspectiveAndroid graphic system (SurfaceFlinger) : Design Pattern's perspective
Android graphic system (SurfaceFlinger) : Design Pattern's perspective
Bin Chen
 
Red Hat Certified Engineer (RHCE) EX294 Exam Questions
Red Hat Certified Engineer (RHCE) EX294 Exam QuestionsRed Hat Certified Engineer (RHCE) EX294 Exam Questions
Red Hat Certified Engineer (RHCE) EX294 Exam Questions
Study Material
 
Ataque DNS spoofing con Kali Linux
Ataque DNS spoofing con Kali LinuxAtaque DNS spoofing con Kali Linux
Ataque DNS spoofing con Kali Linux
Carlos Otero
 
HACKING
HACKINGHACKING
HACKING
D's Surti
 
EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22
MichaelM85042
 

What's hot (20)

Enrutamiento Stack Doble
Enrutamiento Stack DobleEnrutamiento Stack Doble
Enrutamiento Stack Doble
 
Linux Kernel Init Process
Linux Kernel Init ProcessLinux Kernel Init Process
Linux Kernel Init Process
 
JMI Techtalk: 한재근 - How to use GPU for developing AI
JMI Techtalk: 한재근 - How to use GPU for developing AIJMI Techtalk: 한재근 - How to use GPU for developing AI
JMI Techtalk: 한재근 - How to use GPU for developing AI
 
DDOS Attack
DDOS Attack DDOS Attack
DDOS Attack
 
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
 
How to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ngHow to hack wireless internet connections using aircrack-ng
How to hack wireless internet connections using aircrack-ng
 
PE File Format
PE File FormatPE File Format
PE File Format
 
Why xen slides
Why xen slidesWhy xen slides
Why xen slides
 
Wireless Attacks
Wireless AttacksWireless Attacks
Wireless Attacks
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
 
Network intrusion detection system and analysis
Network intrusion detection system and analysisNetwork intrusion detection system and analysis
Network intrusion detection system and analysis
 
NodeMCU 0.9 Manual using Arduino IDE
NodeMCU 0.9 Manual using Arduino IDENodeMCU 0.9 Manual using Arduino IDE
NodeMCU 0.9 Manual using Arduino IDE
 
Process Scheduler and Balancer in Linux Kernel
Process Scheduler and Balancer in Linux KernelProcess Scheduler and Balancer in Linux Kernel
Process Scheduler and Balancer in Linux Kernel
 
Webinaire : sécurité informatique sur le web - Jérôme Thémée
Webinaire : sécurité informatique sur le web - Jérôme ThéméeWebinaire : sécurité informatique sur le web - Jérôme Thémée
Webinaire : sécurité informatique sur le web - Jérôme Thémée
 
Android graphic system (SurfaceFlinger) : Design Pattern's perspective
Android graphic system (SurfaceFlinger) : Design Pattern's perspectiveAndroid graphic system (SurfaceFlinger) : Design Pattern's perspective
Android graphic system (SurfaceFlinger) : Design Pattern's perspective
 
Red Hat Certified Engineer (RHCE) EX294 Exam Questions
Red Hat Certified Engineer (RHCE) EX294 Exam QuestionsRed Hat Certified Engineer (RHCE) EX294 Exam Questions
Red Hat Certified Engineer (RHCE) EX294 Exam Questions
 
Ataque DNS spoofing con Kali Linux
Ataque DNS spoofing con Kali LinuxAtaque DNS spoofing con Kali Linux
Ataque DNS spoofing con Kali Linux
 
HACKING
HACKINGHACKING
HACKING
 
EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22EMBA - From Firmware to Exploit - BHEU22
EMBA - From Firmware to Exploit - BHEU22
 

Viewers also liked

Media Files : Android's New Nightmare
Media Files : Android's New NightmareMedia Files : Android's New Nightmare
Media Files : Android's New Nightmare
Oguzhan Topgul
 
Farewell, Stagefright bugs!
Farewell, Stagefright bugs!Farewell, Stagefright bugs!
Farewell, Stagefright bugs!
Tsukasa Oi
 
Building an Android Scale Incident Response Process
Building an Android Scale Incident Response ProcessBuilding an Android Scale Incident Response Process
Building an Android Scale Incident Response Process
Priyanka Aash
 
A slightly deeper dive into Stagefright
A slightly deeper dive into StagefrightA slightly deeper dive into Stagefright
A slightly deeper dive into StagefrightAlexy Joseph
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
E Hacking
 
h@kin9 & vulnerability assessment in android
h@kin9 & vulnerability assessment in androidh@kin9 & vulnerability assessment in android
h@kin9 & vulnerability assessment in android
jaswanth chodavarapu
 
Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)
Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)
Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)
Oguzhan Topgul
 
Art of public speaking
Art of public speakingArt of public speaking
Art of public speaking
Imprint Training Center
 
iOS'da Zararlı Yazılım Yok (mu?)
iOS'da Zararlı Yazılım Yok (mu?)iOS'da Zararlı Yazılım Yok (mu?)
iOS'da Zararlı Yazılım Yok (mu?)
Oguzhan Topgul
 
MediaPlayer Playing Flow
MediaPlayer Playing FlowMediaPlayer Playing Flow
MediaPlayer Playing Flow
Javid Hsu
 
The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...
Priyanka Aash
 
Design Document Final for HELP application
Design Document Final for HELP applicationDesign Document Final for HELP application
Design Document Final for HELP applicationMamoon Ismail Khalid
 
Stagefright
StagefrightStagefright
Stagefright
Imprint Training Center
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless Architecture
Sonatype
 
Mobile device security
Mobile device securityMobile device security
Mobile device security
Lisa Herrera
 
08 android multimedia_framework_overview
08 android multimedia_framework_overview08 android multimedia_framework_overview
08 android multimedia_framework_overview
Arjun Reddy
 
Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011
Symantec
 
Layer architecture of ios (1)
Layer architecture of ios (1)Layer architecture of ios (1)
Layer architecture of ios (1)
dwipalp
 
Android's Multimedia Framework
Android's Multimedia FrameworkAndroid's Multimedia Framework
Android's Multimedia Framework
Opersys inc.
 

Viewers also liked (20)

Media Files : Android's New Nightmare
Media Files : Android's New NightmareMedia Files : Android's New Nightmare
Media Files : Android's New Nightmare
 
Farewell, Stagefright bugs!
Farewell, Stagefright bugs!Farewell, Stagefright bugs!
Farewell, Stagefright bugs!
 
Building an Android Scale Incident Response Process
Building an Android Scale Incident Response ProcessBuilding an Android Scale Incident Response Process
Building an Android Scale Incident Response Process
 
A slightly deeper dive into Stagefright
A slightly deeper dive into StagefrightA slightly deeper dive into Stagefright
A slightly deeper dive into Stagefright
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
 
h@kin9 & vulnerability assessment in android
h@kin9 & vulnerability assessment in androidh@kin9 & vulnerability assessment in android
h@kin9 & vulnerability assessment in android
 
Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)
Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)
Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)
 
Art of public speaking
Art of public speakingArt of public speaking
Art of public speaking
 
iOS'da Zararlı Yazılım Yok (mu?)
iOS'da Zararlı Yazılım Yok (mu?)iOS'da Zararlı Yazılım Yok (mu?)
iOS'da Zararlı Yazılım Yok (mu?)
 
MediaPlayer Playing Flow
MediaPlayer Playing FlowMediaPlayer Playing Flow
MediaPlayer Playing Flow
 
The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...The Art of defence: How vulnerabilites help shape security features and mitig...
The Art of defence: How vulnerabilites help shape security features and mitig...
 
Design Document Final for HELP application
Design Document Final for HELP applicationDesign Document Final for HELP application
Design Document Final for HELP application
 
Stagefright
StagefrightStagefright
Stagefright
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless Architecture
 
Mobile device security
Mobile device securityMobile device security
Mobile device security
 
Video Streaming
Video StreamingVideo Streaming
Video Streaming
 
08 android multimedia_framework_overview
08 android multimedia_framework_overview08 android multimedia_framework_overview
08 android multimedia_framework_overview
 
Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011
 
Layer architecture of ios (1)
Layer architecture of ios (1)Layer architecture of ios (1)
Layer architecture of ios (1)
 
Android's Multimedia Framework
Android's Multimedia FrameworkAndroid's Multimedia Framework
Android's Multimedia Framework
 

Similar to Stagefright (1)

Reversing and Decrypting the Communications of APT Malware (Etumbot)
Reversing and Decrypting the Communications of APT Malware (Etumbot)Reversing and Decrypting the Communications of APT Malware (Etumbot)
Reversing and Decrypting the Communications of APT Malware (Etumbot)
securityxploded
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiSTO STRATEGY
 
Cyber Security and Ethical hacking 16
Cyber Security and Ethical hacking 16Cyber Security and Ethical hacking 16
Cyber Security and Ethical hacking 16
Mehedi Hasan
 
pentest mobile app issue
pentest mobile app issuepentest mobile app issue
pentest mobile app issueshekar M
 
Reversing and decrypting communications of apt malware
Reversing and decrypting communications of apt malwareReversing and decrypting communications of apt malware
Reversing and decrypting communications of apt malware
Cysinfo Cyber Security Community
 
Cyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptxCyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptx
DrMajidMumtaz
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for public
Julia Yu-Chin Cheng
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
pauline234567
 
Kali linux and hacking
Kali linux and hackingKali linux and hacking
Kali linux and hacking
AbdullahDanish8
 
Network and Internet Security.docx
Network and Internet Security.docxNetwork and Internet Security.docx
Network and Internet Security.docx
stirlingvwriters
 
Reverse engineering malware
Reverse engineering malwareReverse engineering malware
Reverse engineering malware
Cysinfo Cyber Security Community
 
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Rahul Sasi
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2
ratnalajaggu
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentation
Sandeep Joshi
 
Spyware triggering system by particular string value
Spyware triggering system by particular string valueSpyware triggering system by particular string value
Spyware triggering system by particular string value
IJERD Editor
 
WhatsApp Chat Hacking/Stealing POC
WhatsApp Chat Hacking/Stealing POCWhatsApp Chat Hacking/Stealing POC
WhatsApp Chat Hacking/Stealing POC
E Hacking
 
Ransomeware : A High Profile Attack
Ransomeware : A High Profile AttackRansomeware : A High Profile Attack
Ransomeware : A High Profile Attack
IRJET Journal
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hackingAmanpreet Singh
 
Hacking tutorial
Hacking tutorialHacking tutorial
Hacking tutorial
MSA Technosoft
 

Similar to Stagefright (1) (20)

Reversing and Decrypting the Communications of APT Malware (Etumbot)
Reversing and Decrypting the Communications of APT Malware (Etumbot)Reversing and Decrypting the Communications of APT Malware (Etumbot)
Reversing and Decrypting the Communications of APT Malware (Etumbot)
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part ii
 
Cyber Security and Ethical hacking 16
Cyber Security and Ethical hacking 16Cyber Security and Ethical hacking 16
Cyber Security and Ethical hacking 16
 
pentest mobile app issue
pentest mobile app issuepentest mobile app issue
pentest mobile app issue
 
Reversing and decrypting communications of apt malware
Reversing and decrypting communications of apt malwareReversing and decrypting communications of apt malware
Reversing and decrypting communications of apt malware
 
Cyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptxCyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptx
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for public
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
 
Kali linux and hacking
Kali linux and hackingKali linux and hacking
Kali linux and hacking
 
Network and Internet Security.docx
Network and Internet Security.docxNetwork and Internet Security.docx
Network and Internet Security.docx
 
Reverse engineering malware
Reverse engineering malwareReverse engineering malware
Reverse engineering malware
 
Unveiling-Patchwork
Unveiling-PatchworkUnveiling-Patchwork
Unveiling-Patchwork
 
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
Is NetTraveler APT managed by PLA Military Camp in Lanzhou [China] ???.
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentation
 
Spyware triggering system by particular string value
Spyware triggering system by particular string valueSpyware triggering system by particular string value
Spyware triggering system by particular string value
 
WhatsApp Chat Hacking/Stealing POC
WhatsApp Chat Hacking/Stealing POCWhatsApp Chat Hacking/Stealing POC
WhatsApp Chat Hacking/Stealing POC
 
Ransomeware : A High Profile Attack
Ransomeware : A High Profile AttackRansomeware : A High Profile Attack
Ransomeware : A High Profile Attack
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hacking
 
Hacking tutorial
Hacking tutorialHacking tutorial
Hacking tutorial
 

More from Mamoon Ismail Khalid

REMOTE SOLAR MONITORING SYSTEM - A solution to make battery life extend by 300%
REMOTE SOLAR MONITORING SYSTEM - A solution to make battery life extend by 300%REMOTE SOLAR MONITORING SYSTEM - A solution to make battery life extend by 300%
REMOTE SOLAR MONITORING SYSTEM - A solution to make battery life extend by 300%
Mamoon Ismail Khalid
 
Network Traffic Adaptable Image Codec - A solution to make streaming faster
Network Traffic Adaptable Image Codec - A solution to make streaming fasterNetwork Traffic Adaptable Image Codec - A solution to make streaming faster
Network Traffic Adaptable Image Codec - A solution to make streaming faster
Mamoon Ismail Khalid
 
Hospital Management and Inventory Control Solution for Public Hospitals in De...
Hospital Management and Inventory Control Solution for Public Hospitals in De...Hospital Management and Inventory Control Solution for Public Hospitals in De...
Hospital Management and Inventory Control Solution for Public Hospitals in De...
Mamoon Ismail Khalid
 
ATLAS - Product Requirement Document.pdf
ATLAS - Product Requirement Document.pdfATLAS - Product Requirement Document.pdf
ATLAS - Product Requirement Document.pdf
Mamoon Ismail Khalid
 
T(X) Innoway - Prediction Algorithm design.pdf
T(X) Innoway - Prediction Algorithm design.pdfT(X) Innoway - Prediction Algorithm design.pdf
T(X) Innoway - Prediction Algorithm design.pdf
Mamoon Ismail Khalid
 
Joint3DShapeMatching - a fast approach to 3D model matching using MatchALS 3...
Joint3DShapeMatching - a fast approach to 3D model matching using MatchALS 3...Joint3DShapeMatching - a fast approach to 3D model matching using MatchALS 3...
Joint3DShapeMatching - a fast approach to 3D model matching using MatchALS 3...
Mamoon Ismail Khalid
 
Golf Swing Analysis and Posture Correction System
Golf Swing Analysis and Posture Correction SystemGolf Swing Analysis and Posture Correction System
Golf Swing Analysis and Posture Correction System
Mamoon Ismail Khalid
 
24 ideas to revive any developing country.pdf
24 ideas to revive any developing country.pdf24 ideas to revive any developing country.pdf
24 ideas to revive any developing country.pdf
Mamoon Ismail Khalid
 
#2 - Smart Bins - Returnable Plastic Ecosystem.pdf
#2 - Smart Bins - Returnable Plastic Ecosystem.pdf#2 - Smart Bins - Returnable Plastic Ecosystem.pdf
#2 - Smart Bins - Returnable Plastic Ecosystem.pdf
Mamoon Ismail Khalid
 
PyTorch to detect Humans Eating Food.pdf
PyTorch to detect Humans Eating Food.pdfPyTorch to detect Humans Eating Food.pdf
PyTorch to detect Humans Eating Food.pdf
Mamoon Ismail Khalid
 
Future of agriculture agriculture - technology is a necessity in 2020 and beyond
Future of agriculture agriculture - technology is a necessity in 2020 and beyondFuture of agriculture agriculture - technology is a necessity in 2020 and beyond
Future of agriculture agriculture - technology is a necessity in 2020 and beyond
Mamoon Ismail Khalid
 
Nano mos25
Nano mos25Nano mos25
Nano mos25
Mamoon Ismail Khalid
 
Real estate in blockchain (2)
Real estate in blockchain (2)Real estate in blockchain (2)
Real estate in blockchain (2)
Mamoon Ismail Khalid
 
Cohort analysis saa s (1)
Cohort analysis saa s (1)Cohort analysis saa s (1)
Cohort analysis saa s (1)
Mamoon Ismail Khalid
 
ISA backed technology skills platform
ISA backed technology skills platformISA backed technology skills platform
ISA backed technology skills platform
Mamoon Ismail Khalid
 
Start up valuation methods
Start up valuation methodsStart up valuation methods
Start up valuation methods
Mamoon Ismail Khalid
 
Analysis mvp factory
Analysis mvp factoryAnalysis mvp factory
Analysis mvp factory
Mamoon Ismail Khalid
 
Detect Negative and Positive sentiment in user reviews using python word2vec ...
Detect Negative and Positive sentiment in user reviews using python word2vec ...Detect Negative and Positive sentiment in user reviews using python word2vec ...
Detect Negative and Positive sentiment in user reviews using python word2vec ...
Mamoon Ismail Khalid
 
Detect spam comments youtube videos and app store reviews
Detect spam comments youtube videos and app store reviewsDetect spam comments youtube videos and app store reviews
Detect spam comments youtube videos and app store reviews
Mamoon Ismail Khalid
 
Start Up deal/interaction management workflow
Start Up deal/interaction management workflowStart Up deal/interaction management workflow
Start Up deal/interaction management workflow
Mamoon Ismail Khalid
 

More from Mamoon Ismail Khalid (20)

REMOTE SOLAR MONITORING SYSTEM - A solution to make battery life extend by 300%
REMOTE SOLAR MONITORING SYSTEM - A solution to make battery life extend by 300%REMOTE SOLAR MONITORING SYSTEM - A solution to make battery life extend by 300%
REMOTE SOLAR MONITORING SYSTEM - A solution to make battery life extend by 300%
 
Network Traffic Adaptable Image Codec - A solution to make streaming faster
Network Traffic Adaptable Image Codec - A solution to make streaming fasterNetwork Traffic Adaptable Image Codec - A solution to make streaming faster
Network Traffic Adaptable Image Codec - A solution to make streaming faster
 
Hospital Management and Inventory Control Solution for Public Hospitals in De...
Hospital Management and Inventory Control Solution for Public Hospitals in De...Hospital Management and Inventory Control Solution for Public Hospitals in De...
Hospital Management and Inventory Control Solution for Public Hospitals in De...
 
ATLAS - Product Requirement Document.pdf
ATLAS - Product Requirement Document.pdfATLAS - Product Requirement Document.pdf
ATLAS - Product Requirement Document.pdf
 
T(X) Innoway - Prediction Algorithm design.pdf
T(X) Innoway - Prediction Algorithm design.pdfT(X) Innoway - Prediction Algorithm design.pdf
T(X) Innoway - Prediction Algorithm design.pdf
 
Joint3DShapeMatching - a fast approach to 3D model matching using MatchALS 3...
Joint3DShapeMatching - a fast approach to 3D model matching using MatchALS 3...Joint3DShapeMatching - a fast approach to 3D model matching using MatchALS 3...
Joint3DShapeMatching - a fast approach to 3D model matching using MatchALS 3...
 
Golf Swing Analysis and Posture Correction System
Golf Swing Analysis and Posture Correction SystemGolf Swing Analysis and Posture Correction System
Golf Swing Analysis and Posture Correction System
 
24 ideas to revive any developing country.pdf
24 ideas to revive any developing country.pdf24 ideas to revive any developing country.pdf
24 ideas to revive any developing country.pdf
 
#2 - Smart Bins - Returnable Plastic Ecosystem.pdf
#2 - Smart Bins - Returnable Plastic Ecosystem.pdf#2 - Smart Bins - Returnable Plastic Ecosystem.pdf
#2 - Smart Bins - Returnable Plastic Ecosystem.pdf
 
PyTorch to detect Humans Eating Food.pdf
PyTorch to detect Humans Eating Food.pdfPyTorch to detect Humans Eating Food.pdf
PyTorch to detect Humans Eating Food.pdf
 
Future of agriculture agriculture - technology is a necessity in 2020 and beyond
Future of agriculture agriculture - technology is a necessity in 2020 and beyondFuture of agriculture agriculture - technology is a necessity in 2020 and beyond
Future of agriculture agriculture - technology is a necessity in 2020 and beyond
 
Nano mos25
Nano mos25Nano mos25
Nano mos25
 
Real estate in blockchain (2)
Real estate in blockchain (2)Real estate in blockchain (2)
Real estate in blockchain (2)
 
Cohort analysis saa s (1)
Cohort analysis saa s (1)Cohort analysis saa s (1)
Cohort analysis saa s (1)
 
ISA backed technology skills platform
ISA backed technology skills platformISA backed technology skills platform
ISA backed technology skills platform
 
Start up valuation methods
Start up valuation methodsStart up valuation methods
Start up valuation methods
 
Analysis mvp factory
Analysis mvp factoryAnalysis mvp factory
Analysis mvp factory
 
Detect Negative and Positive sentiment in user reviews using python word2vec ...
Detect Negative and Positive sentiment in user reviews using python word2vec ...Detect Negative and Positive sentiment in user reviews using python word2vec ...
Detect Negative and Positive sentiment in user reviews using python word2vec ...
 
Detect spam comments youtube videos and app store reviews
Detect spam comments youtube videos and app store reviewsDetect spam comments youtube videos and app store reviews
Detect spam comments youtube videos and app store reviews
 
Start Up deal/interaction management workflow
Start Up deal/interaction management workflowStart Up deal/interaction management workflow
Start Up deal/interaction management workflow
 

Stagefright (1)

  • 2. Android is very modular operating system. Everything run in separate processes. There are lots of inter-process communications. Android implementts concept of "Sandbox" - modified scheme based on Linux users and groups . The security hole is in android's core media handling library - libstagefright . libstagefright executes inside "MEDIA SERVER" . Android Architecture OVERVIEW
  • 3. The Stagefright vulnerability was first identified by security copmany Zimperium in July 2015. The exploit is able to execute remote code on Android devices and possibly affected upward of 95% of android devices. Stagefright itself is a software library (libstagefright), written in C++, that's built inside the the Android operating system. The analysis says it is susceptible to memory corruption and when a MMS message containing a video was sent to the device it could, if composed in the correct way, activate malicious code inside the device. The exploit is so dangeorus that it can compromise victim's phone without any action being taken from victim -Just by sending a plane MMS. MMSauto retrieves makes it really easy to exploit android phones. So, who has your phone number? Google has released a patch to the bug now. But new development in form of another exploit based on libstagefright has surfaced, known as metaphor. STAGEFRIGHT EXPLAINED
  • 4. The mediaserver process runs in the background. It's a native service that's started at boot from /init.rc: As such, the process automatically restarts when it crashes. PROCESS ARCHITECTURE Process Privileges (Nexus 5) The last part of the service definition in /init.rc shows the privileges that the service runs with: This service is highly privileged. Normal android apps cannot request/receive permissions like audio, camera, drmrpc, and mediadrm. Below set of access to media server - can give almost unlimited access. - inet: can create AF_INET and AF_INET6 sockets (attacker can use this to connect to any hosts on internert) - net_bt and net_bt_admin: Attacker can access and configure bluetooth on victim device. camera: An attacker can leverage this to control victims camera devices(front and back cam) - audio : An attacker can leverage this to record, playback and monitor audio.
  • 5. An attacker can also control storage on victims phone, can reboot adb and get shell access. An attacker can also monitor system server. The MPEG-4 File Format: To understand stagefright vulnerability(CVE-2015-1538) , It will be good to understand structure of an MP4 file. Is a collection of TLV (Type-Length-Value) chunks. This encoding method means there?s a value called ?type?specifying the chunk type, a ?length?value of the data length and a ?chunk?value of the data itself. For MPEG-4, the encoding ?length?is first, then comes ?type?and in the end ?value?. The following pseudo-Cdescribes the MPEG-4 chunk format: When length is 0, data reaches to end of the file. The atom field is a short string ( also called FourCC) which describes the type of chunk. MPEG-4 chunk which have more information than 2^32 bytes have different structure compared to above TLV. w
  • 6. So how does this all happen? AwesomePlayer.cpp is a program written in C++, which processes when the media file is played in victims phone. Let's jump into code where the bug effects. It calls setDataSource_l( sp<MediaExtractor>). setDataSource_l : It will call MPEG4Extractor::countTracks: Above code, calls readMetaData : Above code, calls MPEG4Extractor, lets look into that.
  • 7. This is where the attack takes place - when the mp4 file is parsed. The code from MPEG4Extactor.cpp - will collect all chunks and appends them into one singular buffer. The problem here is that there is no check on size and chunk_size (they are unchecked). The attacker in stagefright exploits an interger overflow. Above code snippet, the output in size bytes from data will be written to buffer irrespective of the actual allocated size of buffer. When heap is carefully shaped, the exploitation can be done very easily. In this project, we will be using exploit from exploit-db from Joshua drake of Zimperium labs. Joshua was first to reveal stagefright vulnerability.
  • 8. CVE-2015-1538 It's a python program exploit, which does the integer overflow and makes a heap overflow. The python exploit will generate a malicious mp4 file, with chunks, size which will make mediaplayer crash and it will reboot again as root. The mp4 file payload also has Attacker's IP address and port on which it will listen on reverse TCPconnection. Define arguments, so as host for back connection and port number can be defined. This will be used to establish a reverse_tcp connection from victims phone to attacker machine. This exploit can also be found on Joshua's Github.
  • 9. Attacker's Machine: We have used Kali linux as attacker machine, due to its flexibility in suing metasploit to manage reverse TCPfrom victim's phone. DEVICES USED Victim phone: We have used one emulated android device on virtual box and one real android device. We have used two devices as victim. a) Emulated Android device on virtualbox: Android 4.3 b) Real android phone: (not updated to 5.1)
  • 10. We have used Stagefright detector app on our machine to see if it is vulnerable to stagefright CVE-2015-1538 and the app shows that it's vulnerable.
  • 11. So, how to leverage the exploit CVE-2015-1538 to generate the mp4 file. - Set up attacker machine b) generate malicious mp4 file - Start a listener (reverse_tcp) on attacker machine - Send the file using attack vectors. - Keep playing after attacker has got the connection. STEP 1- Set up attacker machine: Check IP address of attacker machine: We have used Kali Linux as attacker machine to compromise victim android phone. THE ACTUAL ATTACK Kali linux : 192.168.1.245 | Port to listen : 4444 STEP 2- Generate malicious mp4 file eight:The generated MP4 file can be seen in below screen shot - funny.mp4 a
  • 12. STEP 3- Start a listener on attacker machine: There are many alternatives to use be it netcat or metasploit. In this project we have used metasploit to to listen on to reverse tcp and perform numerous operations. Metasploit gives lt more functionality in contrast to other utilities, we can get a meterpreter session and perform numerous tasks from accessing cameras, to mic, to get shell access, list process etc. Let's choose the exploit which we are going to use. Here we are just using handler which can receive a connection back from victim phone. Setting up a reverse_tcp payload, to receive back connection. Now the configuration needs to be defined. such as LHOST,LPORT(attacker's IPand port to listen on. After the configuration is set, we need to trigger the listener by using exploit keyword. After being triggered, it will wait for any back connection coming from victim phone to attacker machine at port 4444 which we configured in the malicious mp4 file.
  • 13. STEP 4- Send the file to victim using numerous attack vectors: In general, number of attack vector is more than 11. MMS: The most dangerous is using MMS, the media file is auto downloaded in victim's phone and parsed thereby victim phone will be compromised without victim knowing it. Web Browser: Attacker can embed malicious mp4 file in a web link, which it could send to victim. If user clicks on the link - the reverse tcp is established. Browser auto download: If browser has capability to auto download a media file. The victim's phone could be compromised. Email: Sending the malicious mp4 file as an email attachment to victim. Social networks: Chat clients such as hangouts, Whatsapp, Facebook messenger can be used to send the link. if auto download is enabled, then victim's phone is compromised. SD card: If attacker has physical access to victim's SD card, it can load mp4 file in sd card, when mounted, it will compromise victim's phone. There are many such possiblities to deliver the mp4 file to victim. The vulnerable code present in mp4 file is invoked many times in Android system. Whenever a thumbnail is rendered or metadata is needed. Rotating the screen, launching the Messaging app , opening Gallery, sharing malicious mp4/media and many more. In this project we have used, Email as attack vector. For victim device we have used - a virtual android
  • 14. The Mediaserver crashes when playing the video and restarts as root. This sends a back connection to our attacker machine, which is waiting for a connection. STEP 5- Keep playing after attacker has got the connection: After the victim has received the mp4 file and has either downloaded or auto downloaded. Our metasploit gets a back connection and opens a meterpreter session.
  • 15. Meterpreter session has been opened, we can check whatever processes are running on victim's phone. The command used is ps. Let's check ipaddress and interface details of our victim phone.
  • 16. Let's see if we can pull out system info of our victim's phone. sysinfo command in meterpreter provides us system details. An attacker can also get shell access to victim's phone: An attacker can check folders and files on android filesystem by giving ls command in shell . Check if the device is rooted. An attacker can also dump contacts from victim's phone.
  • 17. Let's look into the contacts dump file. An attacker can also control the camera. Webcam_list gives the list of camera available on the device. On our emulated device, there is only back camera configured, with no actual hardware. Let's take a picture from emulated android's camera.
  • 18. - Update the device: Update your device to latest version of released update. If the update is no t available for a specific device, Install android OSlike CyanogenMod. - Turn off auto download: Partial mitigation is to turn off auto download of media files on all file sharing apps, social media apps, MMS, Browser. This will only protect from the media file executing the remote code automatically, but there are chance is user clicks on the video/downloads the mp4 file. HANGOUT: Disable auto download of messages: - Open Hangouts - Navigate to top left corner - click on Options on the top left corner. - Tap Settings ->SMS - In General, if you have HangoutSMSEnabled then in the Advanced uncheck Auto Retrieve MMS MITIGATION
  • 19. Mamoon Ismail Khalid Computer Science Graduate Student New York University Parul Sharma Cybersecurity Graduate Student New York University Sahir Riyaz Khan Cybersecurity Graduate Student New York University AUTHORS