Skip to navigation Skip to main content Skip to footer

A few notes on usefully exploiting libstagefright on Android 5.x

At NCC Group, a colleague and I recently spent some time trying to develop a more robust exploit for the Android libstagefright bug CVE-2015-3684. This is a bug that persisted through the patches Joshua Drake (jduck) originally provided to Google, so a few more firmware versions are vulnerable. In this white paper, I will discuss a few tricks we came up with to make the exploit a bit more robust with regards to address space spraying, dealing with SELinux sandbox restrictions, automating device identification, and staging a kernel exploit.
Unfortunately I didn’t have any breakthroughs on the ASLR bypass front, and similarly I couldn’t come up with a reliable exploit when using dlmalloc feng shui on Android 4.x devices, because the combined brute force complexity resulting from layout instability (thanks to so many noisy mediaserver threads) and no ASLR bypass makes the timing required for exploitation unrealistic. It’s possible I missed some useful approach though, so feedback is more than welcome.

Despite the noted failures, I think some of the improvements I made could be interesting to some and so are worth documenting. As is often the case, I highly recommend reading a few other blog posts before reading this post, as they provide good background information and provide details I don’t bother replicating here. Jduck’s original presentation and exploit is the best starting point; then Exodus Intelligence’s bug writeup and reports about CVE-2015-3684; the Google Project Zero blog on exploiting the bug on Android 5.x with the jemalloc heap; and the Keen Team write up on CVE-2015-3636 exploitation. I glaze over many technical details under the assumption you have first read and understood these write ups.

Also please note that I will refer to MP4 headers as either an ‘atom’, typically when referring to the actual type indicator of the header, or a ‘box header’, typically when referring to the header as a whole (both the type and length fields). This is consistent with the terminology used by the actual MP4 standard. Some sources seem to use the term chunk, which is especially confusing when you’re also talking about heaps which have their own meaning for the word chunk.

Credits

I talk about a few different exploits and bugs in this paper, and want to give credit to those that did the work on these before me. Kudos to Joshua Drake from Zimperium for originally finding the libstagefright bugs and releasing an exploit targeting 4.0.4; to Jordan Gruskovnjak from Exodus Intel for finding and explaining the hole in the libstagefright patches that led to CVE-2015-3864; to Mark Brand from Google Project Zero for releasing details on exploiting CVE-2015-3864 on Android 5.x; to Wen Xu and Yubin Fu of Keen Team for finding and exploiting CVE-2015-3636; and to fi01 for posting exploit source for CVE-2015-3636 on GitHub. If I missed anyone, please let me know and I’ll update the paper.

Download Whitepaper