Browser-based CVE-2015-3864 Metasploit Module Now Accessible for Testing

By:Zuk Avraham
Comply with Zuk Avraham (@ihackbanme)Joshua Drake
Comply with Joshua Drake (@jduck)

Final 12 months, we disclosed a collection of essential vulnerabilities inside Android’s multimedia processing code — libstagefright. We promised to launch the exploit for testing functions and rapidly revealed our exploit for CVE-2015-1538 focusing on the Galaxy Nexus operating Android 4.0.4. We delivered this exploit by way of MMS to assist carriers simulate and block a possible MMS-based worm state of affairs. We are actually able to launch our browser-based CVE-2015-3864 exploit for testing, however first let’s have a look at what prompted this determination.

The Influence on Android

Google responded rapidly once we first notified them of the vulnerabilities we found. They:

1. rapidly accepted patches offered to AOSP
2. up to date the Hangouts and Messenger apps to take away automated media processing
3. began releasing month-to-month Nexus updates and bulletins and
4. pushed OEMs and carriers to enhance the best way they deal with and remediate vulnerabilities

Regardless of enhancements within the ecosystem (kudos the place deserved), updating Android gadgets stays a problem and leaves many finish customers’ handsets uncovered to severe vulnerabilities. Multimedia-related vulnerabilities have made an look in each Nexus/Android Safety Bulletin to this point. The latest Android Safety Bulletin in September included 11 vulnerabilities that affected Mediaserver amongst the 55 CVEs referenced. Previous to that, 460 CVEs affecting the Android platform (159 essential, 191 excessive, 68 average, and 5 with low severity) had been disclosed. Normally, an attacker wants between one and 5 vulnerabilities to take full management over a tool. Holding gadgets up to date has by no means been extra necessary.

Google’s Android Safety Group has invested closely in responding to media-related safety issues by hardening Mediaserver (and the OS too) considerably in Android Nougat. Sadly, the adoption charge of recent variations of Android may be very sluggish. Practically one 12 months after its preliminary launch, Android Marshmallow (6.0) is just operating on 18.7% of gadgets within the ecosystem. If this development continues, Android Nougat will solely be used on roughly the identical variety of gadgets this time subsequent 12 months. Any machine not up to date is not going to profit from a majority of the enhancements Google has made in response to our (and others’) analysis associated to multimedia processing. We implore these chargeable for releasing updates to do no matter potential to rectify this example.

The most recent effort, undertaken by our Joshua J. Drake, culminated in a Metasploit-module that exploits CVE-2015-3864 by way of the Net browser. This module is ready to exploit a weak machine utilizing solely three fast HTTP requests and helps 29 completely different machine/firmware variations concurrently — a major enchancment over the Metaphor exploit. We collaborated with Rapid7 to combine with the very current “mettle” payload developed by the Metasploit group. This payload executes purely in reminiscence, which permits working throughout the SELinux coverage that restricts mediaserver on Android 5.x to yield a meterpreter session.

The next builds are supported by the module presently:

1. Nexus 7 (Wi-Fi) (razor) with Android 5.0 (LRX21P)
2. Nexus 7 (Wi-Fi) (razor) with Android 5.0.1 (LRX22C)
3. Nexus 7 (Wi-Fi) (razor) with Android 5.0.2 (LRX22G)
4. Nexus 7 (Wi-Fi) (razor) with Android 5.1 (LMY47O)
5. Nexus 7 (Wi-Fi) (razor) with Android 5.1.1 (LMY47V)
6. Nexus 7 (Wi-Fi) (razor) with Android 5.1.1 (LMY48G)
7. Nexus 7 (Wi-Fi) (razor) with Android 5.1.1 (LMY48I)
8. Nexus 7 (Cell) (razorg) with Android 5.0.2 (LRX22G)
9. Nexus 7 (Cell) (razorg) with Android 5.1 (LMY47O)
10. Nexus 7 (Cell) (razorg) with Android 5.1.1 (LMY47V)
11. Nexus 5 (hammerhead) with Android 5.0 (LRX21O)
12. Nexus 5 (hammerhead) with Android 5.0.1 (LRX22C)
13. Nexus 5 (hammerhead) with Android 5.1 (LMY47D)
14. Nexus 5 (hammerhead) with Android 5.1 (LMY47I)
15. Nexus 5 (hammerhead) with Android 5.1.1 (LMY48B)
16. Nexus 5 (hammerhead) with Android 5.1.1 (LMY48I)
17. Nexus 6 (shamu) with Android 5.0 (LRX21O)
18. Nexus 6 (shamu) with Android 5.0.1 (LRX22C)
19. Nexus 6 (shamu) with Android 5.1 (LMY47D)
20. Nexus 6 (shamu) with Android 5.1 (LMY47E)
21. Nexus 6 (shamu) with Android 5.1 (LMY47I)
22. Nexus 6 (shamu) with Android 5.1.1 (LYZ28E)
23. Nexus 6 (shamu) with Android 5.1 (LMY47M)
24. Nexus 6 (shamu) with Android 5.1.1 (LMY47Z)
25. Nexus 6 (shamu) with Android 5.1.1 (LVY48C)
26. Nexus 6 (shamu) with Android 5.1.1 (LMY48I)
27. Nexus 6 (shamu) with Android 5.1.1 (LYZ28J)
28. Nexus 6 (shamu) with Android 5.1.1 (LVY48E)
29. Samsung Galaxy S5 (VZW SM-G900V) with Android 5.0 (LRX21T)

New Developments

On September seventh, the day after the September Android Safety Bulletin was revealed, Google Venture Zero researcher, Mark Model, launched an evaluation of and exploit for CVE 2016-3861. After we checked out Model’s exploit, we seen he used a virtually an identical approach to what Josh used on this module. Apparently sufficient, Model discovered the identical bug reported by Josh on August fifteenth, 2015. Josh’s proposed patch for this vulnerability is right here. The bug report was by accident marked as out of date. We consider that if two impartial researchers discovered the very same bug, and developed the very same methods, the chance of these methods getting used for focused assaults is excessive. Because of this, we sped up the discharge of our exploit to most of the people in order that safety groups, directors, and penetration testers alike could check whether or not or not their programs stay weak. We welcome the safety neighborhood to construct additional on this work and assist to keep up this module.

Throughout our analysis, we recognized ways in which Google could make this assault much less profitable. We’ve already communicated these strategies to Google and are blissful to work with different distributors and carriers by means of ZHA to debate these strategies as nicely.

To obtain the CVE-2015-3864 exploit, merely replace your Metasploit. In case you don’t have already got Metasploit, you possibly can acquire it by following the directions from the Metasploit developer docs.

Disclosure timeline:

• Could 4th 2015: Joshua reported CVE-2015-3824 to Google’s Android Safety group
• August thirteenth 2015: Google releases a repair for CVE-2015-3824
• August thirteenth 2015: Exodus discloses CVE-2015-3864 (duplicate of a Venture Zero report)
• August fifteenth 2015: Joshua reported what ultimately grew to become CVE-2016-3861
• September ninth 2015: Google releases a repair for CVE-2015-3864
• March twenty fourth 2016: Metaphor exploit launched (displaying ASLR bypass)
• Could 2nd 2016: Josh’s report of CVE-2016-3861 was by accident marked as out of date
• June sixth, 2016: Josh shared our CVE-2015-3864 Metasploit module with the Google/Android Safety Group
• August twelfth 2016: Shared exploit with distributors and carriers by means of ZHA companions
• July twenty ninth 2016: Shared particulars on the exploit with the GSMA Machine Safety Group
• August ninth 2016: Shared particulars on the exploit at WOOT within the Day 2 Keynote
• September sixth 2016: Google releases September bulletin
• September seventh 2016: Google Venture Zero launched Mark Model’s exploit for CVE-2016-3861 utilizing practically an identical methods
• September ninth 2016: Android Safety Group provided a $3,000 reward for CVE-2016-3861
• September thirteenth 2016: Android Safety Group donates $6,000 to EB Analysis on Josh’s behalf (matching the $3,000 reward)
• September twenty third 2016: Public launch

Zimperium clients:

Zimperium’s z9 engine detects this assault, Mark Model’s CVE-2016-3861 exploit, and far more with out requiring any replace. For extra details about our award successful expertise, examine our merchandise.