Google integrated a fix in the next Android release

Jun 26, 2015 10:11 GMT  ·  By

Security researchers found a security flaw in Debuggerd, the debugging component integrated in Android operating system, which could be combined with other bugs to achieve arbitrary code execution on the device.

The vulnerability is present in all Android versions starting 4.0 (Ice Cream Sandwich) to 5.x (Lollipop), which currently accounts for 94.1% of the mobile devices.

According to official statistics, most Android users (39.2%) run build 4.4 of the operating system, commonly known as KitKat, followed by JellyBean, with 37.4%. Lollipop, the latest version of the OS, accounts for only 12.4% of the Android market.

Glitch can be a stepping stone for serious compromise

Trend Micro discovered that an attacker could create a special ELF (Executable and Linkable Format) file to crash the debugger and view dumps and log files for data stored in the memory.

They say that on its own, the glitch is not suitable for code execution, but the information it provides access to can be leveraged to bypass ASLR (address space layout randomization) protection; once this is achieved, however, rogue code can be run on the device.

The flaw can be abused for denial-of-service purposes, though, by repeatedly crashing the built-in debugger.

“This vulnerability can be exploited by a malicious or repackaged app downloaded onto the device, although the impact would be relatively limited,” Wish Wu, mobile threat response engineer at Trend Micro, says in a blog post on Thursday, stressing that exploitation cannot enable malicious code execution.

Wu explains that Debuggerd relies on “sym->st_name” as an offset for a string copy command but no error checking function is available. A malformed ELF file could be used to control the value to point to inaccessible memory, which causes Debuggerd to crash.

Patch is available, but users may not see it too soon

Trend Micro disclosed the vulnerability to Google on April 27, who assigned it a low severity rating.

At the moment, there is no patch for the affected Android versions available to consumers, but a fix is included in the next release of the OS (Android M), expected to launch in October/November.

The patch is also present in the Android Open Source Project (AOSP) code since May 15, so it can be integrated by carriers and device manufacturers and pushed to users, but historically, such a move has always been delayed for significant periods of time.

Android OS distribution as of June 1
Android OS distribution as of June 1

Photo Gallery (2 Images)

Triggering the vulnerability
Android OS distribution as of June 1
Open gallery