Skip to main content

Android 32-Bit ASLR Too Weak To Block Stagefright Exploits, Says Google Researcher

When the Stagefright vulnerability was made public by Zimperium (months after it had already disclosed it to Google), Google said that although it's a serious vulnerability, most Android 4.0+ devices should be quite safe against it thanks to the ASLR protection.

However, according to one of Google's own security researchers who works for the "Project Zero," attackers could relatively easily bypass ASLR and exploit the Stagefright vulnerabilities. Project Zero is a group of highly skilled security researchers that Google hired to find vulnerabilities that can be used in targeted attacks.

The vulnerabilities found in the Stagefright media library in Android affect almost one billion users -- essentially everyone with an Android 2.3 phone or newer. To make matters worse, the initial series of patches introduced their own vulnerabilities, later found by Exodus Intelligence, another security firm.

The ASLR protection was implemented in Android 4.0 partially, and then fully in Android 4.1, and is meant to protect against some types of memory corruption bugs such as buffer overflows. ASLR randomizes where the exploit lands in the app's memory, therefore making it difficult to take advantage of the existing bug. If the exploit can't find the bug, then it just results in an app crash, rather than a system takeover.

Google's engineers initially said that this should be enough protection against the Stagefright vulnerabilities. However, a Project Zero researcher found that the ASLR feature in Android uses little entropy and can create only 256 locations in memory, which isn't that many if you're trying to make it very difficult for an attacker to find the memory bug.

This was made worse by the fact that Android's Stagefright library reloads after crashing, giving the exploit the opportunity to simply reload itself multiple times until it finds the bug, bruteforcing the Android ASLR. The address space is re-randomized with each attempt, making it more difficult to find the bug, but it can still be relatively few tries. The Google researcher said that an attacker should have about a 4 percent chance of a successful exploit every minute.

One of the easiest ways to exploit the Stagefright library this way is to use a malware-infected web page that people visit and then attempt to inject the malware by reloading it until it's successful. It could also work through in-app adverts using the WebView embedded browser.

Security experts have said before that Android's 32-bit ASLR protection could be too weak, and now we see just how weak it really is. It's also not clear yet whether 64-bit phones are in a better position. ASLR on 64-bit systems is typically much stronger, but Google may have kept it just as weak on 64-bit devices, too, for performance reasons.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.