Vigil@nce - Android: privilege escalation via Serialization
October 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker, or a malicious application, can thus use the
Serialization on Android OS, in order to escalate his privileges.
Impacted products: Android Applications not comprehensive,
ArcGIS for Desktop, Android OS, Unix (platform) not
comprehensive.
Severity: 2/4.
Creation date: 12/08/2015.
DESCRIPTION OF THE VULNERABILITY
A Java class can:
– be serializable, and
– contain a finalize method, and
– contain an attacker-controlled field
However, in this case, an attacker can change the attribute, and
thus inject code which is run during the finalize() method by the
Android garbage collector.
There are several Java classes with the three required
characteristics:
– the OpenSSLX509Certificate class of Android OS (CVE-2015-3825)
– classes from the SDK Jumio (CVE-2015-2000), used by
applications built with this SDK
– classes from the SDK MetaIO (CVE-2015-2001), used by
applications built with this SDK
– classes from the SDK PJSIP PJSUA2 (CVE-2015-2003), used by
applications built with this SDK
– classes from the SDK GraceNote GNSDK (CVE-2015-2004), used by
applications built with this SDK
– classes from the SDK MyScript (CVE-2015-2020), used by
applications built with this SDK
– classes from the SDK esri ArcGis (CVE-2015-2002), used by
applications built with this SDK
A local attacker, or a malicious application, can thus use the
Serialization on Android OS, in order to escalate his privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Android-privilege-escalation-via-Serialization-17645