How exactly does the Stagefright Vulnerability work on Android?

The details will be released on the 5th of august. However, on the Cyanogenmod github repository there are several interesting details that appear to be related: it appears that certain fields in 3GPP video metadata are vulnerable to buffer overflow attacks. In short, a 3GPP video can be given a string of metadata that, at first, exceeds a certain length, and in the end includes machine code that lands in memory that is off-limits to the application.

Update: Cyanogenmod has released a patch for this vulnerability.


In addition to the commits shown on github, Trend Labs have also posted a more detailed explanation of the integer overflow vulnerability (CVE-2015-3824) on their security blog. They demonstrate how it can be exploited from within an app, from a URL, and using MMS messages.

EDIT: I was able to create an MP4 file that crashes my mediaserver process using this vulnerability. You're supposed to see it inside logcat.

Update: As of 2016, there are now very detailed explanations and exploitations of this vulnerability. Look at the great Metaphor exploit paper for example.