account arrowhead-down arrowhead-up mobile-menu search sm-bold-x x-skinny-rounded x-skinny arrowhead-right social-facebook social-googleplus social-instagram social-linkedin social-pinterest social-qzone social-renren social-tencent social-twitter social-vkontakt social-weibo social-youku social-youtube

Please help us improve our website

Take our customer survey to evaluate your visit.

It should only take a few minutes to answer five quick questions. Just click the Launch survey button at the end of your visit to begin.

cancel
Showing results for 
Search instead for 
Did you mean: 
Tips & Tricks

Want to know more about Xperia 5? To read more about it go here.
If you can't find the answer to your question there please post it here and let the community help you.

Stagefright vulnerability found in most (all) Android phones

SOLVED
Visitor
Message 81 of 118
2,474 Views
Message 81 of 118

Re: 5.1.1 UPDATE FAILING ALL STAGEFRIGHT CHECKS

Xperia Z2  D6503   Android 5.1.1  Build 23.4.A.1.200

Commissioner
Message 82 of 118
2,467 Views
Message 82 of 118

Re: 5.1.1 UPDATE FAILING ALL STAGEFRIGHT CHECKS

Stagefright fix in latest 23.4.A.1.232 now rolling. Updated mine today.
Moderator
Message 83 of 118
2,460 Views
Message 83 of 118

Re: 5.1.1 UPDATE FAILING ALL STAGEFRIGHT CHECKS

@Ocotillo

 

Yep, as Bearings said, it's already rolling to both Z2 and Z3 series so stay tuned. No need for caps or curses Slightly smiling Face



Feel free to kudo this post or mark it as solution so that other users facing the same issue can find it

Disclaimer: Moderators are not affiliated with or work for Sony Mobile, their posts represent their own opinions and views. Click here to find out more about the different roles in the community.

One time poster
Message 84 of 118
2,457 Views
Message 84 of 118

Re: 5.1.1 UPDATE FAILING ALL STAGEFRIGHT CHECKS

May update to 5.1.1 is failed. T
Genius
Message 85 of 118
2,579 Views
Message 85 of 118

Re: Xperia Z2 23.4.A.1.200 update: Stagefright vulnerability


@Rickard wrote:

Hi everyone - thanks for your comments. We would just like to reassure you following reports that some protection and detector software identifies certain Xperia devices as remaining vulnerable to the “Stagefright” flaw, despite receiving the corrective security patches.

Protection and detector software use dummy media files to assess if security patches are installed. We added media file validation checks within the firmware, that are wrongly identified as crashes and vulnerabilities by some protection software – we fully reassure all our customers that the security patches eliminate any risk posed by the “Stagefright” flaw from Xperia devices. The firmware is rolling out through our retail partners within normal and regular software maintenance, with exact timings varying by region and/or operator.


I want to reply and give more strengt to Rickard comment just to let you understand why that app is not exactly the best way to discover if your phone is affected by the various "Stagefright" flaws, I wrote a very long post in the Motorola Forum (as I own also a Moto X and various other Android devices) and all my discoveries agree with what Rikcard said:

 

This is a long comment... ready?

Got curious here, so I decompiled that apk and I found that it's doubtfully useful. First of all it doesn't show or tell exactly what are the vulnerabilities in our device, can be also a minimal and not important one but what make me feel unsafe when using this app is due the following part of the code:

Basically this piece of code is setting the status of the device to Safe, SEMI-SAFE and Unsafe. The Semi-Safe is the funniest one, the app will show you a greeting message saying your device is safe IF you are using one of their apps: zIPS - An AntiMalware. - This is already wrong.. basically it's advertisement haha anyway, let's move on.

Another thing I noticed then is this: The app, by default, is ready to tell that the device is affected and look at the list of vulnerabilities, it's just text, pre-programmed list that will be filled later by a list of files. More about this later:

So the app include the malformed mp4 (POC - Proof of Concept) inside a folder. It extract them and execute a custom "media player" (compiled with a 2012 Beta version of GCC) that load the libstagefright.so and query malformed mp4. What the app don't tell us is which vulnerability is the one that affect our devices. So let me tell you about the vulnerabilities that are scanned:

  1) cve-2015-1538 
  5) cve-2015-1539 
  6) cve-2015-3824 (The only one that may affect devices from Android 4.0.1 to 5.1.1)
  7) cve-2015-3826 
  8) cve-2015-3827 
  9) cve-2015-3828
10) cve-2015-3829

 

I will like to do it with the Moto X but it's not recharging the battery so.. I ran the test on two devices: HP Slate 6 (4.4.2) and Sony Z3C (5.1.1) and captured LOG with alogcat while the test was running. Results (drum-roll): 

HP Slate 6 (4.4.2): 

D/dalvikvm(  921): GC_CONCURRENT freed 444K, 21% free 3903K/4928K, paused 1ms+3ms, total 19ms
D/MRVLExtractorEntry( 5170): Failed to open librealmediaextractor.so
I/OMXClient( 5173): Using client-side OMX mux.
D/MRVLExtractorEntry( 5173): Failed to open librealmediaextractor.so
I/SampleTable( 5173): There are reordered frames present.
W/STAGEFRIGHT( 3504): Device is vulnerable to cve-2015-1538-2.mp4
I/OMXClient( 5176): Using client-side OMX mux.
D/MRVLExtractorEntry( 5176): Failed to open librealmediaextractor.so
W/STAGEFRIGHT( 3504): Device is vulnerable to cve-2015-1538-3.mp4
I/OMXClient( 5178): Using client-side OMX mux.
D/MRVLExtractorEntry( 5178): Failed to open librealmediaextractor.so
W/MPEG4Extractor( 5178): max_size=8323078 is wrong, set as worst case 1080p yuv size 3110400
W/STAGEFRIGHT( 3504): Device is vulnerable to cve-2015-1538-4.mp4
I/OMXClient( 5180): Using client-side OMX mux.
D/MRVLExtractorEntry( 5180): Failed to open librealmediaextractor.so
I/OMXClient( 5182): Using client-side OMX mux.
D/MRVLExtractorEntry( 5182): Failed to open librealmediaextractor.so
I/OMXClient( 5184): Using client-side OMX mux.
D/MRVLExtractorEntry( 5184): Failed to open librealmediaextractor.so
W/MPEG4Extractor( 5184): numChannels in ESDS is 0, ignore the error!
I/OMXClient( 5186): Using client-side OMX mux.
D/MRVLExtractorEntry( 5186): Failed to open librealmediaextractor.so
W/STAGEFRIGHT( 3504): Device is vulnerable to cve-2015-3827.mp4
I/OMXClient( 5188): Using client-side OMX mux.
D/MRVLExtractorEntry( 5188): Failed to open librealmediaextractor.so
I/OMXClient( 5192): Using client-side OMX mux.
D/MRVLExtractorEntry( 5192): Failed to open librealmediaextractor.so
W/STAGEFRIGHT( 3504): Device is vulnerable to cve-2015-3829.mp4
D/dalvikvm( 3504): GC_CONCURRENT freed 277K, 53% free 3411K/7188K, paused 3ms+3ms, total 19ms
D/StatusBar.NetworkController(  679): updateTelephonySignalStrength: ABSENT
I/audio_hw_mrvl(  119): out_standby/717:out 0x42b11570
I/audio_hw_mrvl(  119): hardware output set_standby
I/MarvellAmixer(  119): get_amixer_value, device 2, left volume 0, right volume 0, codec info 0, mic mode 0
D/MarvellAmixer(  119): get_amixer_value: Set codec as slave
I/AudioHIFIPath(  119): default_disable: Disable hifi output device speaker
D/ALSA_PLUGIN--CTRL_CODEC(  119): integer: key is 3, value is 0x350000, old value is 0x0
D/ALSA_PLUGIN--CTRL_CODEC(  119): Disable path HiFiPlayToStereoSPKR, value is 0x00350000
I/acm_aph (  119): ACM_APHPathHandling: path=HiFiPlayToStereoSPKR operation=DISABLE ref_path=(null) amixer value=0x0
I/acm_ach_gpio(  119): GPIO_Handle: set GPIO port 19 [0]
D/acm_aph (  119): _set_path_configuration: sleep 10 ms
I/acm_ach_ustica(  119): Ustica_Disable: disable ustica component
I/acm_ach_elba(  119): Elba_Disable: disable elba component
I/acm_ach_gpio(  119): GPIO_Disable: disable gpio component
I/audio_hw_mrvl(  119): set voip standby if it's normal state, and not voip stream
I/audio_hw_mrvl(  119): set vt standby if it's normal state, and not vt stream

Sony Z3C (5.1.1):

I/OMXClient(17488): Using client-side OMX mux.
W/ServiceManager(  319): Permission failure: com.sonymobile.permission.ACCESS_DRM from uid=10331 pid=17488
W/ServiceManager(  319): Permission failure: com.sonymobile.permission.ACCESS_DRM from uid=10331 pid=17488
D/TaskPersister(  929): removeObsoleteFile: deleting file=4528_task.xml
D/TaskPersister(  929): removeObsoleteFile: deleting file=4528_task_thumbnail.png
I/OMXClient(17491): Using client-side OMX mux.
W/ServiceManager(  319): Permission failure: com.sonymobile.permission.ACCESS_DRM from uid=10331 pid=17491
W/ServiceManager(  319): Permission failure: com.sonymobile.permission.ACCESS_DRM from uid=10331 pid=17491
I/SampleTable(17491): There are reordered frames present.
I/OMXClient(17494): Using client-side OMX mux.
W/ServiceManager(  319): Permission failure: com.sonymobile.permission.ACCESS_DRM from uid=10331 pid=17494
W/ServiceManager(  319): Permission failure: com.sonymobile.permission.ACCESS_DRM from uid=10331 pid=17494
I/OMXClient(17502): Using client-side OMX mux.
W/ServiceManager(  319): Permission failure: com.sonymobile.permission.ACCESS_DRM from uid=10331 pid=17502
W/ServiceManager(  319): Permission failure: com.sonymobile.permission.ACCESS_DRM from uid=10331 pid=17502
D/ExtendedUtils(17502): checkDPFromVOLHeader: DP:0
I/OMXClient(17508): Using client-side OMX mux.
W/ServiceManager(  319): Permission failure: com.sonymobile.permission.ACCESS_DRM from uid=10331 pid=17508
E/QComExtractorFactory(17508): Sniff FAIL :: coundn't pull enough data for sniffing
W/ServiceManager(  319): Permission failure: com.sonymobile.permission.ACCESS_DRM from uid=10331 pid=17508
I/OMXClient(17511): Using client-side OMX mux.
W/ServiceManager(  319): Permission failure: com.sonymobile.permission.ACCESS_DRM from uid=10331 pid=17511
E/QComExtractorFactory(17511): Sniff FAIL :: coundn't pull enough data for sniffing
W/ServiceManager(  319): Permission failure: com.sonymobile.permission.ACCESS_DRM from uid=10331 pid=17511
I/OMXClient(17515): Using client-side OMX mux.
W/ServiceManager(  319): Permission failure: com.sonymobile.permission.ACCESS_DRM from uid=10331 pid=17515
W/ServiceManager(  319): Permission failure: com.sonymobile.permission.ACCESS_DRM from uid=10331 pid=17515
I/OMXClient(17518): Using client-side OMX mux.
W/ServiceManager(  319): Permission failure: com.sonymobile.permission.ACCESS_DRM from uid=10331 pid=17518
W/ServiceManager(  319): Permission failure: com.sonymobile.permission.ACCESS_DRM from uid=10331 pid=17518
F/        (17518): frameworks/av/media/libstagefright/foundation/ABitReader.cpp:34 CHECK_GT( mSize,0u) failed: 0 vs. 0
W/STAGEFRIGHT(17042): Device is vulnerable to cve-2015-3827.mp4
I/OMXClient(17521): Using client-side OMX mux.
W/ServiceManager(  319): Permission failure: com.sonymobile.permission.ACCESS_DRM from uid=10331 pid=17521
D/SuperStamina-WakelockHandler(  929): unblock uids
E/QComExtractorFactory(17521): Sniff FAIL :: coundn't pull enough data for sniffing
W/ServiceManager(  319): Permission failure: com.sonymobile.permission.ACCESS_DRM from uid=10331 pid=17521
E/PebbleApplication( 8769): [PblSyncAdapter] Unable to derive a proper sync target, not syncing!
I/OMXClient(17531): Using client-side OMX mux.
W/ServiceManager(  319): Permission failure: com.sonymobile.permission.ACCESS_DRM from uid=10331 pid=17531
E/QComExtractorFactory(17531): Sniff FAIL :: coundn't pull enough data for sniffing
W/ServiceManager(  319): Permission failure: com.sonymobile.permission.ACCESS_DRM from uid=10331 pid=17531
W/STAGEFRIGHT(17042): Device is vulnerable to cve-2015-3829.mp4

 

What does all this means?

It means that 4.4.2 is vulnerable to: 

cve-2015-1538 - cve-2015-3827 - cve-2015-3829

And 5.1.1 is vulnerable tho these two:

cve-2015-3829 - cve-2015-3827

But wait, it may be wrong! And I'll explain why. Checking well the code of the "custom" player used to perform the tests there is something that actually is not ok: It's designed to return two different kind responses: "received signal %d" and  "Could not resolve %s".

Now, do you know how many "signals" there are? Quite a few - but there is no log of the signal received as it just get the "received signal" on this piece of code: check the "received signal"...

if (((Utils.NativeResult) (obj)).out.contains("received signal") || ((Utils.NativeResult) (obj)).err.contains("received signal"))
{
    MainActivity.access$002(MainActivity.this, true);    ZLog.w((new StringBuilder()).append("Device is vulnerable to ").append(s1).toString());    ZLog.d(((Utils.NativeResult) (obj)).out);    MainActivity.access$600(MainActivity.this).put(s1, Boolean.valueOf(true));    break MISSING_BLOCK_LABEL_429;}

.. but what if the signal received is set as "SIG_IGN" (Ignore)? What come before the message "Device is Vulnerable" in both KitKat and Lollipop show us that somehow the requests get blocked or there are other errors, which make unsure if this check actually works.

 

Sorry for the long comment but it's my opinion that the issue exist and it has to be fixed, anyway I am really sure that this tool is NOT really helpful to tell if a device is vulnerable or not, it's probably a bait to let people using their software.

 

Edit: It give me more the impression that this tool is not working because the PoCs are not able to crash the mediaserver, if you check the PIDs they remain untouched in both KitKat and Lollipop.

 

Ok, ok.. I know probably they didn't wanted to give the right PoCs, the ones that may crash the MediaServer but this is even a better reason to think that this tool is not working correctly and cannot be used to diagnose correctly if a device is affected or not.

 

My original comment is available here: https://forums.motorola.com/posts/1f0cc688bf?commentId=971531#971531


  » If you find that an answer helped, say thanks and give kudos Slightly smiling Face

Wizardry is the key!
Enthusiast
Message 86 of 118
2,576 Views
Message 86 of 118

Re: Xperia Z2 23.4.A.1.200 update: Stagefright vulnerability

> Will this one get patched quickly?

 

LOL!  Er, no. No, it won't.

Learner
Message 87 of 118
2,310 Views
Message 87 of 118

Re: 5.1.1 UPDATE FAILING ALL STAGEFRIGHT CHECKS

Read the messsage two above- The stagefright 1.0 detectors are wrongly detecting the security checks as flaws-

 

 

Stagefright 1.0 is fixed. Now only 2.0 is open..

Enthusiast
Message 88 of 118
2,295 Views
Message 88 of 118

Re: Stagefright vulnerability found in most (all) Android phones

er... 'till zimperium detector app is de facto the standard app to check this vulnerability why should i believe in anything else? my e4 didn't get any update since stagefright has been anounced and i didn't get any straight answer on updates from sony.

 

and we always get that this is a  user based forum, so why should i believe that zimperium is wrong and holy sony knows everything better?

 

Enthusiast
Message 89 of 118
2,296 Views
Message 89 of 118

Re: Stagefright vulnerability found in most (all) Android phones

Heh, i tried to follow that long, "technical" post (I'm a developer) but it missed out as much as it stated, and the author seemed confused.   Absent a more coherant technical criticism I'm going to go with the author of the detector as being more accurate than sony/random people on the internet.  Certainly my Nexus 10 has been patched by google in a way which makes all the warnings about vulnerability go away; I suggest Sony take the same approach.

One time poster
Message 90 of 118
2,286 Views
Message 90 of 118

Stagefright 2.0 CVE-2015-6602 and CVE-2015-3876

Is there a possibility sony will release a fix for new stagefright 2.0 security issue, CVE-2015-6602 and CVE-2015-3876?

I have a z1 compact with latest firmware (14.6.A.0.368) with fix for CVE-2015-3864

 

Thanks

Antonino