A security researcher has discovered a flaw in versions of the Android mobile operating system below 5.0 that puts billions of devices at risk.
In a post on The Hacker News, Jann Horn discusses how his security vulnerability (CVE-2014-7911) could allow attackers to bypass Address Space Layout Randomization (ASLR) and in certain instances execute code on devices running older Android versions.
The bug exploits java.io.ObjectInputStream, a feature which in Android versions below Lollipop does not check whether an object is serializable before reversing the process and deserializing its input data.
Serialization is a process crucial to data storage in which an object is converted into a stream of bytes. This allows for the state of the object to be stored in a database or file, with the user being able to reverse the process at their discretion.
“The Android system_service runs under UID 1000 and can change into the context of any app, install new applications with arbitrary permissions, and so on,” explains Horn.
Apps can talk to system_service using Intents with attached Bundles, which are transferred as arraymap Parcels that can contain serialized data. This means that any app can attack the system_service this way.
The security researcher first thought of serialization on Android devices after hearing a university talk on a PHP web app vulnerability that involved the deserialization of attacker-provided input data.
According to a thread he posted on Reddit, the security researcher assumed that Android’s developers might have forgotten to check ObjectInputStream for whether it receives untrusted inputs because the bug is not apparent during normal testing.
Horn confirmed the existence of the vulnerability shortly thereafter and submitted a proof-of-concept to the Android development team back in June.
He has not developed a full root exploit, however, for as the UID is restricted from gaining root privileges, another vulnerability may need to be utilized.
A patch for Android Lollipop was issued earlier in November as part of the AOSP (Android Open Source Project) code release.
All Android versions below 5.0 are still vulnerable.