[Exploit + Patch] Stagefright security flaw

Search This thread

Phk

Senior Member
Jan 10, 2009
695
125
Lisbon
Hello XDA Community,

Zimperium has presented us yesterday with one of the most dangerous Android vulnerabilities known to date.
Fortunately patch\diff files were also released. Kudos JDrake.
Custom ROMs should be recompiled with these fixes until proper releases from manufacturers become available.

* UPDATE 18 September *

Original Zimperium link

Patch files

PoC exploit with ASLR bypass

See if you are vulnerable using original App

List of patched devices so far

* UPDATE 22 October *

Stagefright v2.0... Includes patches for I9505 (S5) and I337M (S4)


Cheers,
pHk
 
Last edited:

Goldie

Inactive Recognized Developer
Oct 16, 2010
9,965
22,758
Thanks for info :)

How to use theses patchs to recompil stock Rom ?
I've seen you in Samsung forums so I'm guessing you are asking in that respect when you say stock and not stock android. As far as I know you cannot patch libs in Samsung stock roms. These patch files are for compiling from source. You could try a pre patched aosp lib but it's quite likely it won't work

Sent from my SM-G920F using Tapatalk
 
Last edited:
  • Like
Reactions: poondog

Camacha

Senior Member
Feb 11, 2011
82
8
I have a ZTE V5 Max, which is currently still on 4.4.4. Someone is working on 5.1, but development is extremely slow, partly due to a completely uncooperative attitude from ZTE. Long story short, this is not going to happens soon, and might very well never happen at all (sadly). For this reason I am running CM11. The detector app says the phone is only vulnerably to CVE-2015-3829, I am not sure whether that helps.

Is there some way to patch my installation with some pre-patched or existing file? I have no experience with Android development, so bear with me: does it need to be compiled for each specific device, or is the library more multi-purpose? What about the difference between 4.4 and 5.x?

I would so very much like to be able to use my device in the future :)
 
Last edited:

Rajada

Senior Member
Feb 21, 2013
308
71
26
Agartala
You will receive the MMS but if its a video it will probably FC or simply don't open.


After the patch, the apk Zimperium shows the same result.
It's normal?
Screenshot_2015-08-08-20-45-34.jpg
 

cire27rn

Senior Member
Dec 20, 2012
314
32
Sir it says here "cant open build.prop..." what shall i do?
 

Attachments

  • Screenshot_2015-08-09-09-30-50.png
    Screenshot_2015-08-09-09-30-50.png
    143.9 KB · Views: 2,139

momojuro

Senior Member
Jan 15, 2014
493
786
Sir it says here "cant open build.prop..." what shall i do?
For those who can't install @Phk's patch :
Code:
media.stagefright.enable-player=false
media.stagefright.enable-http=false
media.stagefright.enable-aac=false
media.stagefright.enable-qcp=false
media.stagefright.enable-fma2dp=false
media.stagefright.enable-scan=false
mmp.enable.3g2=true
mm.enable.smoothstreaming=true
media.aac_51_output_enabled=true

You can put manually those lines in your build.prop file using a file manager with root permissions. :)

For your case @cire27rn check that your system partition is RW (Read-Write) and retry, or try my solution above !
 
Last edited:

Camacha

Senior Member
Feb 11, 2011
82
8
For those who can't install @Phk's patch :
Code:
media.stagefright.enable-player=false
media.stagefright.enable-http=false
media.stagefright.enable-aac=false
media.stagefright.enable-qcp=false
media.stagefright.enable-fma2dp=false
media.stagefright.enable-scan=false
mmp.enable.3g2=true
mm.enable.smoothstreaming=true
media.aac_51_output_enabled=true

I changed this and rebooted the phone. I can still watch and play movies with Youtube, TED, the gallely, the browser, you name it. I double checked and made sure the buildprop file was still modified.

Is this supposed to happen?
 
  • Like
Reactions: unclescary

edzamber

Senior Member
Feb 21, 2012
3,881
3,674
I changed this and rebooted the phone. I can still watch and play movies with Youtube, TED, the gallely, the browser, you name it. I double checked and made sure the buildprop file was still modified.

Is this supposed to happen?
Check with this Stagefright Viewer

If its like that, its ok :




If not, good code is that :

#system props for the cne module
#
#persist.cne.feature=1

media.stagefright.enable-player=false
media.stagefright.enable-http=false
media.stagefright.enable-aac=false
media.stagefright.enable-qcp=false
media.stagefright.enable-fma2dp=false
media.stagefright.enable-scan=false
media.stagefright.enable-record=false
media.stagefright.enable-meta=false
media.stagefright.enable-rtsp=false
mmp.enable.3g2=true
mm.enable.smoothstreaming=true
media.aac_51_output_enabled=true
ro.hdmi.enable=true
lpa.decode=false
tunnel.decode=false
tunnel.audiovideo.decode=false
lpa.use-stagefright=false
qcom.hw.aac.encoder=true
 

Camacha

Senior Member
Feb 11, 2011
82
8
I can still play and record video with various apps. Apparently disabling stagefright means little to no difference?

Also, be careful installing random .apk files from the internet :)
 
  • Like
Reactions: catseyenu

Top Liked Posts

  • There are no posts matching your filters.
  • 14
    Hello XDA Community,

    Zimperium has presented us yesterday with one of the most dangerous Android vulnerabilities known to date.
    Fortunately patch\diff files were also released. Kudos JDrake.
    Custom ROMs should be recompiled with these fixes until proper releases from manufacturers become available.

    * UPDATE 18 September *

    Original Zimperium link

    Patch files

    PoC exploit with ASLR bypass

    See if you are vulnerable using original App

    List of patched devices so far

    * UPDATE 22 October *

    Stagefright v2.0... Includes patches for I9505 (S5) and I337M (S4)


    Cheers,
    pHk
    12
    Updates on Stagefright: Get root and disable it in build.prop.

    I've created and attached a simple .patch file for this :)

    Cheers
    6
    Calm down, the new research team (Exodus) that has discovered the new way to exploit one of the overflows, has also explained things quite well.

    I've did some research and actually Google has said something that, for me, changes the game...

    The Good News

    There is a silver lining to the “sky is falling” news, though. According to Google devices protected with ASLR (address space layout randomization) mitigates the issue and makes it much more difficult for an attacker to successfully exploit Stagefright. Google claims that more than 90 percent of Android devices have ASLR enabled, which suggests that only 10 percent of the Android devices are at risk.

    I don't know if you are aware of the difficulty of building an actual exploit for this, but after you have the code that triggers the overflow, you need a proper payload specific for the target OS, which jumps to the offset of the system call you need to be executed with the stack you just built after the overflow. To simplify things: if ASLR is really on 90% of the devices, this vuln is actually very very difficult to be exploited, and has nothing to do with the "propaganda" of the original Zimperium talk... I mean, instead of publicizing this has affecting all Androids, Zimperium should have probably explained that this covers devices that do not randomize the location of system libs in memory. "From 100% to 10% target scope" .. lol

    Until I see the actual code contents for the infamous "exploit-mms.py" file shown in the Demo, personally, I'm turning off my alarm for this vuln :)
    5
    Fix is here for Samsung devices.

    Stagefright Vulnerability Fix - Lollipop

    So far tested on Note 3, Note 4 and S5
    5
    I changed this and rebooted the phone. I can still watch and play movies with Youtube, TED, the gallely, the browser, you name it. I double checked and made sure the buildprop file was still modified.

    Is this supposed to happen?
    Check with this Stagefright Viewer

    If its like that, its ok :




    If not, good code is that :

    #system props for the cne module
    #
    #persist.cne.feature=1

    media.stagefright.enable-player=false
    media.stagefright.enable-http=false
    media.stagefright.enable-aac=false
    media.stagefright.enable-qcp=false
    media.stagefright.enable-fma2dp=false
    media.stagefright.enable-scan=false
    media.stagefright.enable-record=false
    media.stagefright.enable-meta=false
    media.stagefright.enable-rtsp=false
    mmp.enable.3g2=true
    mm.enable.smoothstreaming=true
    media.aac_51_output_enabled=true
    ro.hdmi.enable=true
    lpa.decode=false
    tunnel.decode=false
    tunnel.audiovideo.decode=false
    lpa.use-stagefright=false
    qcom.hw.aac.encoder=true
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone