Stagefright, Quadrooter and Android Security in general

Azulath · May 15, 2017, 4:45pm

I was wondering if someone got Stagefright or Quadrooter working and how easily this could/can be accomplished (on vulnerable phones). Because even though there exists a Python sample on exploit-db, it is hinted at in comments that this exploit doesn't work simply out of the box and would have to be tailored to each device. As a result, Stagefright would become far less threatening, or did I get something wrong? If this were easily accomplished about 0.96 billion devices would be vulnerable.

Also, information on Quadrooter is rather scarce. Aside from CheckPoints paper I haven't found anything really useful.

I'd also be interested if anyone has some other information on probably dated security vulnerabilites concerning Android, since I'd like to test them myslef.

As a final note: I don't intend to do anything malicious, I'm interested because I'm writing a thesis about exactly that (and any additional information/insight is always welcome )

MazeFrame · May 15, 2017, 5:22pm

Nothing I know beyond this.
Regard this as a "watching this thread"

Dje4321 · May 15, 2017, 7:20pm

exploit-db.com is a great place for this kind of stuff.
https://www.exploit-db.com/docs/39527.pdf - Stagefright paper

AndroidAuthority is also great for this stuff too.

Googles ProjectZero is a good place to look also for android exploits.

Amount android exploits have gone down severly because google introduced 2 things into the OS
* ALSR
* SELinux

The first will randomize the layout of memory making it much harder to get exploits because you have to programs to leak their memory addresses to find out where to attack.

The second is a security program developed by the NSA that tries to enforce good security polices by doing stuff like preventing apps from setting parts of memory to world writable and executable. This helps mitigate attacks like privilege escalation because you now have to write where you cant execute and execute where you cant write.

TL;DR
Android has been beefed up a ton and is MUCH harder to get a working exploit working

Freaksmacker · May 15, 2017, 7:46pm

ya noticed that i did. I just want my tablet rooted.

Dje4321 · May 15, 2017, 7:50pm

that is only upto andoird M
android N has alot more sandboxing and much tighter SELinux polices.

There have been many exploits found in android but none get far due to the amount of sandboxing and SELinux just screwing you up everytime.

Freaksmacker · May 15, 2017, 8:00pm

I have marshmallow down but N has me stumped atm. Maybe ? Magisk concept will develop further.

Freaksmacker · May 15, 2017, 9:56pm

I imagine roaming around in the " how to root world " might be of value to you.

Azulath · May 16, 2017, 10:27am

Thanks for all the posts

@Dje4321: Thanks for the link to the paper, I only watched the Blackhat presentation but this paper seems to be far more in depth. Looking forward to reading it There isn't anything like this for Quadrooter, is there? Hasn't @wendell mentioned once he got Quadrooter working?

Concerning ALSR: Another important factor is that the OS sort of has to be 64bit. ALSR works on 32bit just as well, but since the address space is rather limited - when compared to a 64bit system - many addresses can be guessed.

@Freaksmacker: You're right, I might just do that too.

Any other links to older exploits? Keep them coming

Freaksmacker · May 16, 2017, 10:45am

I can not remember if he said Quadrooter or Rowhammer. So much change across the board. In a way it is good but.... It is also making us slaves to Corporations and I mostly hate it. Just to hold your privacy and basic performance hostage for a premium.

Azulath · May 16, 2017, 12:13pm

Rowhammer is nice and not too hard to implement; some researchers were able to Rowhammer in JavaScript. Check out Rowhammer.js paper, if you're interested.

Azulath · May 16, 2017, 4:02pm

Interesting and thorough indeed

Azulath · May 20, 2017, 12:39pm

So I tried the Stagefright exploit myself, well I wanted to try it, but sadly it didn’t work out. In order to keep things simple I ran Kali Linux inside a VM and wanted to create an appropriate target device.
When I start up metasploit and enteruse exploit/android/browserstagefright_mp4_tx3g_64bit the command show targets shows - as the name suggests the exploitable targets, which are:

Summary

Nexus 7 (Wi-Fi) (razor) with Android 5.0 (LRX21P)
Nexus 7 (Wi-Fi) (razor) with Android 5.0.1 (LRX22C)
Nexus 7 (Wi-Fi) (razor) with Android 5.0.2 (LRX22G)
Nexus 7 (Wi-Fi) (razor) with Android 5.1 (LMY47O)
Nexus 7 (Wi-Fi) (razor) with Android 5.1.1 (LMY47V)
Nexus 7 (Wi-Fi) (razor) with Android 5.1.1 (LMY48G)
Nexus 7 (Wi-Fi) (razor) with Android 5.1.1 (LMY48I)
Nexus 7 (Mobile) (razorg) with Android 5.0.2 (LRX22G)
Nexus 7 (Mobile) (razorg) with Android 5.1 (LMY47O)
Nexus 7 (Mobile) (razorg) with Android 5.1.1 (LMY47V)
Nexus 5 (hammerhead) with Android 5.0 (LRX21O)
Nexus 5 (hammerhead) with Android 5.0.1 (LRX22C)
Nexus 5 (hammerhead) with Android 5.1 (LMY47D)
Nexus 5 (hammerhead) with Android 5.1 (LMY47I)
Nexus 5 (hammerhead) with Android 5.1.1 (LMY48B)
Nexus 5 (hammerhead) with Android 5.1.1 (LMY48I)
Nexus 6 (shamu) with Android 5.0 (LRX21O)
Nexus 6 (shamu) with Android 5.0.1 (LRX22C)
Nexus 6 (shamu) with Android 5.1 (LMY47D)
Nexus 6 (shamu) with Android 5.1 (LMY47E)
Nexus 6 (shamu) with Android 5.1 (LMY47I)
Nexus 6 (shamu) with Android 5.1.1 (LYZ28E)
Nexus 6 (shamu) with Android 5.1 (LMY47M)
Nexus 6 (shamu) with Android 5.1.1 (LMY47Z)
Nexus 6 (shamu) with Android 5.1.1 (LVY48C)
Nexus 6 (shamu) with Android 5.1.1 (LMY48I)
Nexus 6 (shamu) with Android 5.1.1 (LYZ28J)
Nexus 6 (shamu) with Android 5.1.1 (LVY48E)

VMs emulated by Android Studio return the following message:
Unknown user-agent: "Mozilla/5.0 (Linux; Android 5.0.2; sdk_google_phone_armv7 Build/LSY66K) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Mobile Safari/537.36"
The build numbers site doesn’t even list LSY66K, furthermore it shows as device sdk_google_phone_arm7 instead of Nexus 5. anon was so kind to recommend Genymotion in another thread and while a Nexus 5 running Android 5 shows the build number LRX21M, Android 5.1 returns a target build number: LMY47D
Sadly, I still get the following response:
Unknown user-agent: "Mozilla/5.0 (Linux; Android 5.1; Google Nexus 5 - 5.1.0 - API 22 - 1080x1920 Build/LMY47D) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/39.0.0.0 Mobile Safari/537.36

Any ideas on how to fix this or what exactly I’m doing wrong. On one side, it is good the Stagefright isn’t that easily accomplished, on the other I’d really like to be able to use it, at least inside a VM.

Azulath · May 20, 2017, 4:41pm

In case someone else is interested, I was able to figure it out. Apparently metasploit's regex expression is false, which is why I changed it from:
regexp = Regexp.escape("Linux; Android #{t['Release']}; #{t['Model']} Build/#{t['Build']}")
to
regexp = /Linux; Android #{t['Release']}; Google #{t['Model']} - [0-9](.[0-9])+ - API [0-9][0-9] - [0-9]+x[0-9]+ Build\W#{t['Build']}/
Which seems to do the trick

Now, it would be interesting if the regex is right on real devices...