Researchers at Trend Micro have discovered a security flaw in the debugging component of the Android system, Debuggerd. When combined with other bugs, attackers can achieve arbitrary code execution on the device to reveal data and contents on it, according to a blog post on Trend Micro.
The bug and its dangers
Upon discovering the bug, security researchers at Trend Micro noted that:
- An attacker can create a specifically made ELF (Executable and Linkable Format) in order to crash the debugger and make it cease from functioning.
- Once this is achieved, memory contents on the device along with dumps and log files can then be accessed and viewed by the attacker.
- While the glitch itself can’t be used for the remote code execution, the information provided brings access which can be leveraged to bypass ASLR (Address space layout randomization) protection.
- After such a bypass, rogue code can then be used to run on the device.
“This vulnerability can be exploited by a malicious or repackaged app downloaded onto the device, although the impact would be relatively limited (as no code execution is possible by itself). No malicious code can be executed if this vulnerability is exploited,” wrote Wish Wu, a Mobile Threat Response Engineer at Trend Micro in the blog post.
The Debuggerd component relies on “sym->st_name” as an offset with no error checking function available. The offset itself is for a string copy command. A malformed and tampered ELF file can control the value in the string to look for inaccessible memory which leads to Debuggerd crashing, according to Wu.
Alarming vulnerability numbers.
The bug leaves a staggering 94.1 % of Android devices vulnerable. Official statistics show:
- 2 % of Android users are using KitKat, or Android 4.4.
- 4 % of Android users are using JellyBean, the Android version that preceded KitKat.
- 6 % of Android users are on Lollipop, the latest version of the Android operating system.
The vulnerability exists in all Android versions starting from 4.x (Ice Cream Sandwich) to 5.x (Lollipop).
Patch exists but users will have to wait
Google has been made aware of the vulnerability by the research team at Trend Micro. While there is no patch presently for current versions of Android, a fix is included in the next version of the Android system, Android M, which is expected to launch later this year in October or November.
A patch for the vulnerability is included in the AOSP (Android Open Source Project) code and has been since May 15th. This can feasibly be used by device manufacturers and carriers to push an update for users but trends show that such a process takes a significant period of time.