Security researchers have uncovered a zero-day deserialization vulnerability that allows for arbitrary code execution in 55% of Android devices.
For their presentation at USENIX WOOT ’15, researchers Or Peles and Roee Hay at IBM Security explain that their vulnerability (CVE-2015-3825) can be exploited in the context of many apps and can be used to effect an elevation in privileges.
In a research paper, Peles and Hay demonstrate a proof-of-concept (PoC) for their vulnerability against a Google Nexus 5 device that relies on code execution within the highly privileged
“Our exploit targets system_server. It achieves code execution by overwriting a callback function pointer and then triggering a call to that pointer,” explains Peles in a post for IBM Security Intelligence. “This allows us to control the program counter (PC). We point the PC to a gadget that does the Stack-Pivoting technique. Our return-oriented programming (ROP) chain then allocates a memory page as executable, which is allowed as per system_server‘s SElinux policy, and copies our payload to that page.”
Using their payload, the researchers were then able to replace the code (APK) of arbitrary apps, exfiltrate data from arbitrary apps, change SElinux policy rules, and lLoad arbitrary kernel modules in devices with kernel compiled with CONFIG_MODULES.
The vulnerability lies within the Android platform itself, OpenSSLX509Certificate, and it affects versions 4.3-5.0–Jelly Bean, Kit Kat, and Lollipop–as well as the M Preview 1.
A video demo of the researchers’ PoC can be viewed below. Here they replace the real Facebook app with a real one called Fakebook:
In addition to the Android serialization vulnerability, the researchers also found a series of vulnerabilities in third-party Android Software Development Kits (SDKs) that attackers could exploit in order to remotely execute code from apps that use those SDKs.
A patch has been developed for the Android serialization vulnerability, and no exploits have yet been detected in the wild. However, most Android users will not receive it for some time until Google implements its new monthly Android update cycle, which the tech giant created in response to the recent disclosure of the Android “Stagefright” vulnerability.