Project

General

Profile

Issue #1287

Stagefright vulnerability

Added by My Self over 3 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
High
Assignee:
Category:
Privacy and security
Target version:
Start date:
03/30/2015
Due date:
% Done:

100%

Resolution:
fixed
Device:

Description

Within this ticket I'll check if Replicant is vulnerable to the Stagefright (http://source.android.com/devices/media.html) weaknesses.
More details: http://www.forbes.com/sites/thomasbrewster/2015/07/27/android-text-attacks/
(And there already exists a Replicant forum thread about: http://redmine.replicant.us/boards/39/topics/10329)

As far as I understand that vulnerability:
  • the weaknesses is more or less exclusively present within the hardware accelerated audio-/video-decoding, so Replicant don't have to be affected (without using that proprietary accelerations), but I have to check that in detail.
  • If Replicant is affected, it doesn't seems to be enough to:
    • avoid Hangouts or disable: Settings -> SMS -> Auto Retrieve MMS -> [uncheck]
    • disable auto-MMS-reception of the standard SMS app or alternative SMS apps
    • remove MMS APN: Settings -> More... -> Mobile networks -> Access Point Names -> {choose your MMS provider APN} -> three-dot-menu -> Delete APN

because you would be still vulnerable (e. g. over manipulated email-pictures, or any other app, which uses the Stagefright media framework.

Solution/Patches
CM diffs (I'll preventive try to bring to Replicant ASAP):
http://review.cyanogenmod.org/#/c/103267/
http://review.cyanogenmod.org/#/c/103268/
http://review.cyanogenmod.org/#/c/103269/
http://review.cyanogenmod.org/#/c/103270/
http://review.cyanogenmod.org/#/c/103266/

stagefright_patchset-redux.zip (12 KB) My Self, 08/26/2015 11:48 AM

History

#1 Updated by Paul Kocialkowski over 3 years ago

Great, thanks for your investigation! I'll try to get around merging your already-pending security fixes soon. If Replicant is indeed affected by the stragefright vulnerability, then patches for it are welcome as well :)

Thanks for your great work, as usual!

#2 Updated by My Self over 3 years ago

  • File stagefright_patchset.zip added

Sorry for the delay.
It was a lot of cherrypicking. Initially I worked with the patchset provided by Zimperium (https://s3.amazonaws.com/zhafiles/Zimperium-Handset-Alliance/ZHA-Stagefright-Patches.zip) but afterwards I realized, that some of the original patches (https://android-review.googlesource.com/#/c/162646/) are slightly different. And then I realized, that CyanogenMod (CM) also modified some of the patches, slightly.

So I set the focus on the patches, released by Google (AOSP) and respected the changes, CM has added (on the tree of CM11), and fitted them to the Replicant codebase.

From the result I made a patchset "stagefright_patchset.zip" for Replicant, (tested on the current codebase of 4.2) with the following patch-files included:

After compiling/flashing the patched Replicant, I've tested my productive device some hours without any misbehavior.
Furthermore I've successfully checked, that Replicant isn't vulnerale to the "Stagefright vulnerability" anymore, by:

@everyone: please review the patches and apply it if you like.

#3 Updated by My Self over 3 years ago

Additionally, the patchset was sent to the mailing list: http://lists.osuosl.org/pipermail/replicant/Week-of-Mon-20150810/000771.html

#4 Updated by My Self over 3 years ago

  • File stagefright_patchset-redux.zip added

[update]

This blogpost: https://blog.exodusintel.com/2015/08/13/stagefright-mission-accomplished/ explains, why one of the stagefright patches was faulty, and how to solve the problem.

So I modified: renewed:
  • 0010-Fix-integer-underflow-in-covr-MPEG4-processing.patch
and added (the newly categorized CVE-2015-3864) as:

The new patchset is named stagefright_patchset-redux.zip (attached).

I've recompiled/reflashed Replicant 4.2 for my device without any misbehavior, and tested the functionalities for some hours, now.
Furthermore I've successfully checked, that Replicant isn't vulnerable to the new "CVE-2015-3864" anymore, over the updated detector app (by Zimperium): https://play.google.com/store/apps/details?id=com.zimperium.stagefrightdetector

@everyone: please review the patches and apply it if you like.

#5 Updated by My Self about 3 years ago

  • % Done changed from 0 to 100

#6 Updated by T M about 3 years ago

I have been running all the patches up to/since #3 without any problems for about 2 weeks. Will update to new patchset when time allows

#7 Updated by T M about 3 years ago

T M wrote:

I have been running all the patches up to/since http://redmine.replicant.us/issues/1287#note-3 without any problems for about 2 weeks. Will update to new patchset when time allows

#8 Updated by My Self about 3 years ago

  • File deleted (stagefright_patchset.zip)

#9 Updated by My Self about 3 years ago

  • File deleted (stagefright_patchset-redux.zip)

#11 Updated by Paul Kocialkowski about 3 years ago

  • Status changed from New to Closed
  • Resolution set to fixed

All merged, thanks a lot!

#12 Updated by George Bateman over 2 years ago

Here is a wiki for the Stagefright Detector App

Also available in: Atom PDF