Freely subscribe to our NEWSLETTER

This bulletin was written by Vigil@nce : http://vigilance.fr/offer

SYNTHESIS OF THE VULNERABILITY

A local attacker, or a malicious application, can thus use the
Serialization on Android OS, in order to escalate his privileges.

Impacted products: Android Applications not comprehensive,
ArcGIS for Desktop, Android OS, Unix (platform) not
comprehensive.

Severity: 2/4.

Creation date: 12/08/2015.

DESCRIPTION OF THE VULNERABILITY

A Java class can:
– be serializable, and
– contain a finalize method, and
– contain an attacker-controlled field

However, in this case, an attacker can change the attribute, and
thus inject code which is run during the finalize() method by the
Android garbage collector.

There are several Java classes with the three required
characteristics:
– the OpenSSLX509Certificate class of Android OS (CVE-2015-3825)
– classes from the SDK Jumio (CVE-2015-2000), used by
applications built with this SDK
– classes from the SDK MetaIO (CVE-2015-2001), used by
applications built with this SDK
– classes from the SDK PJSIP PJSUA2 (CVE-2015-2003), used by
applications built with this SDK
– classes from the SDK GraceNote GNSDK (CVE-2015-2004), used by
applications built with this SDK
– classes from the SDK MyScript (CVE-2015-2020), used by
applications built with this SDK
– classes from the SDK esri ArcGis (CVE-2015-2002), used by
applications built with this SDK

A local attacker, or a malicious application, can thus use the
Serialization on Android OS, in order to escalate his privileges.

ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN

http://vigilance.fr/vulnerability/Android-privilege-escalation-via-Serialization-17645