My little security writeups: What is Stagefright?Discovered by Zimperium Lab

1. My little security writeups: What is Stagefright?
2.  
3. Discovered by Zimperium Labs, Stagefright was a vulnerability of Androids Stagefright library which is a media playback compilation with "software-based codecs for several popular media formats". The library was exploited via a integer overflow which is essentially when an arithmetic operation like addition or multiplication exceeds the maximum size of the integer type used to store it "overflowing" the allocated space. But before we get into any of that we need to describe Stagefright itself
4.  
5. Stagefright as mentioned before is a media library present in the Android ecosystem from Android 2.2 Froyo and onwards. This service has access to quite a bit of system privileges called “mediaserver” due to the nature of its duty. This includes access to camera, microphone, Bluetooth, as well as other devices. This level of privilege for a system call initiated during init.rc which is the 3rd process that is called during boot, is pretty powerful and apparently is only 1 step above actual root access to the device.
6.  
7. Everytime Mediaserver gets a supported file format, will scan the file for metadata, information about the file and other attributes. This is not just happening when you acquire the file, but every single time this file is displayed or parsed in Android. This information is NOT stored in a database. Using a relevant example of a picture in an app, if you just rotate the screen, the picture will refresh and this will inhibit the mediaserver to refresh everything about the picture. Other scenario’s inhibiting this refresh function is starting a messaging app, viewing a gallery, amongst others. This is where the attack vector is used.
8.  
9. Using an integer overflow, it overloads a specific memory address, and is now able to write new data to the memory space. From here we can start to write memory spaces that allow us to take over control of the mediaserver process. This is where root is achieved and the device gets compromised.
10.  
11. Zimperium was able to communicate and submit patches to AOSP and they were adopted within 48 hours but the issue is not that. The issue is all the phones that are effected and how most of these phones will never get an update that will fix this issue. This is the most frightening part of this whole fiasco. Google has started a 30 day security update schedule but once again this only effects devices in the AOSP tree. OEM’s have to take these patches and modify them to their phones and that’s not something Google can control.
12.  
13.  
14.  
15.  
16.  
17. This integer overflow was a payload of a simple malicious .MP4 (or any of the popular media formats stagefright handles) file that execut