Back to all vulnerabilities
(json)
(json)
(json)
(json)
- CVE numbers: CVE-2014-7911 [fulldisclosure-ois]
- Coordinated disclosure?: true
- Categories: system
- Details: In Android <5.0, java.io.ObjectInputStream did not check whether the Object that is being deserialized is actually serializable. That issue was fixed in Android 5.0. This means that when ObjectInputStream is used on untrusted inputs, an attacker can cause an instance of any class with a non-private parameterless constructor to be created. All fields of that instance can be set to arbitrary values. The malicious object will then typically either be ignored or cast to a type to which it doesn't fit, implying that no methods will be called on it and no data from it will be used. However, when it is collected by the GC, the GC will call the object's finalize method. [fulldisclosure-ois]
luni/src/main/java/java/io/ObjectInputStream.java in the java.io.ObjectInputStream implementation in Android before 5.0.0 does not verify that deserialization will result in an object that met the requirements for serialization, which allows attackers to execute arbitrary code via a crafted finalize method for a serialized object in an ArrayMap Parcel within an intent sent to system_service, as demonstrated by the finalize method of android.os.BinderProxy, aka Bug 15874291. [CVE-2014-7911]
A POC local root exploit is available [CVE-2014-7911_poc]
- Discovered by: Jann Horn [fulldisclosure-ois] on: 2014-06-22 [fulldisclosure-ois]
- Reported on: 2014-11-14 [fulldisclosure-ois]
- Fixed on: 2014-06-25 [ois-fix]
- Fix released on: 2014-11-03 [citation-needed]
- Affected versions: 1.0-4.4.4 [CVE-2014-7911] regex: ([1-3].[0-9].[0-9])|(4.[0-3].[0-9])|(4.4.[0-4])
- Affected devices: all [fulldisclosure-ois]
- Affected manufacturers: all [fulldisclosure-ois]
- Fixed versions: 5.0.0 [CVE-2014-7911]
- Submission: by: Jann Horn, on: 2014-12-14; by: Laurent Simon, on: 2015-03-12
(json)
- CVE numbers: CVE-2013-3685 [citation-needed]
- Coordinated disclosure?: true
- Categories: system
- Details: Race condition in Sprite Software's backup software, installed by OEM on LG Android devices. [fulldisclosure-2013-06-196]
- Discovered by: Justin Case jcase@cunninglogic.com [fulldisclosure-2013-06-196] on: 2013-06-24 [fulldisclosure-2013-06-196]
- Reported on: 2013-06-24 [fulldisclosure-2013-06-196]
- Fixed on: Unknown
- Fix released on: Unknown
- Affected versions: spritebud 1.3.24, 1.3.28 backup 2.5.4105, 2.5.4108 [citation-needed] regex:
- Affected devices: (LG-E971:LG Optimus G, LG-E973:LG Optimus G, LG-E975:LG Optimus G, LG-E975K:LG Optimus G, LG-E975T:LG Optimus G, LG-E976:LG Optimus G, LG-E977:LG Optimus G, LG-F100K:LG Optimus Vu, LG-F100L:LG Optimus Vu, LG-F100S:LG Optimus Vu, LG-F120K:LG Optimus Vu, LG-F120L:LG Optimus LTE Tag, LG-F120S:LG Optimus LTE Tag, LG-F160K:LG Optimus LTE 2, LG-F160L:LG Optimus LTE 2, LG-F160LV:LG Optimus LTE 2, LG-F160S:LG Optimus LTE 2, LG-F180K:LG Optimus G, LG-F180L:LG Optimus G, LG-F180S:LG Optimus G, LG-F200K:LG Optimus Vu 2, LG-F200L:LG Optimus Vu 2, LG-F200S:LG Optimus Vu 2, LG-F240K:LG Optimus G Pro, LG-F240L:LG Optimus G Pro, LG-F240S:LG Optimus G Pro, LG-F260K:LG Optimus LTE 3, LG-F260L:LG Optimus LTE 3, LG-F260S:LG Optimus LTE 3, LG-L21:LG Optimus G, LG-LG870:LG (Unknown), LG-LS860:LG Mach, LG-LS970:LG Optimus G, LG-P760:LG Optimus L9, LG-P769:LG Optimus L9, LG-P780:LG Optimus L7, LG-P875:LG Optimus F5, LG-P875h:LG Optimus F5, LG-P880:LG Optimus 4X HD, LG-P940:LG Prada, LG-SU540:LG Prada 3.0, LG-SU870:LG Optimus 3D Cube, LG-US780:LG Lollipop) [fulldisclosure-2013-06-196]
- Affected manufacturers: LG [citation-needed]
- Fixed versions:
- Submission: by: Daniel R. Thomas, on: 2013-08-28; by: Justin Case, on: 2014-02-08
(json)
- CVE numbers:
- Coordinated disclosure?: true
- Categories: signature
- Details: The software does not properly validate an application's certificate chain. An application can supply a specially crafted application identity certificate to impersonate a privileged application and gain access to vendor-specific device administration extensions. The vulnerability resides in the createChain() and findCert() functions of the Android JarUtils class. [securitytracker-1030654]
Google bug 13678484 [blackhat-briefing-fakeid]
- Discovered by: Jeff Forristal of Bluebox [bluebox-fakeid] on: Unknown
- Reported on: 2014-07-29 [ars-fake-id]
- Fixed on: 2014-04-17 [fakeid-patch]
- Fix released on: Unknown
- Affected versions: 2.1 -- 4.4 [ars-fake-id] regex: (2.[1-9].[0-9])|(3.[0-9].[0-9])|(4.[0-3].[0-9])|(4.4.[0-4])
- Affected devices:
- Affected manufacturers: all [bluebox-fakeid]
- Fixed versions: there is no single, specific “fixed” version of Android. In fact, multiple vendors are maintaining the same prior version number, and only patching the functionality. We have confirmed “fixed” versions existing within the ranges of 4.1, 4.2, 4.3, and 4.4 [bluebox-fakeid]
- Submission: by: Khilan Gudka, on: 2014-07-29; by: Daniel R. Thomas, on: 2014-09-09; by: Jeff Forristal, on: 2014-09-11
(json)
- CVE numbers:
- Coordinated disclosure?: true
- Categories: signature
- Details: The software does not properly validate an application's certificate chain. An application can supply a specially crafted application identity certificate to impersonate a privileged application and gain access to vendor-specific device administration extensions. The vulnerability resides in the createChain() and findCert() functions of the Android JarUtils class. [securitytracker-1030654]
Google bug 13678484 [blackhat-briefing-fakeid]
- Discovered by: Jeff Forristal of Bluebox [bluebox-fakeid] on: Unknown
- Reported on: 2014-07-29 [ars-fake-id]
- Fixed on: 2014-04-17 [fakeid-patch]
- Fix released on: Unknown
- Affected versions: 2.1 -- 4.4 [ars-fake-id] regex: (2.[1-9].[0-9])|(3.[0-9].[0-9])|(4.[0-3].[0-9])|(4.4.[0-4])
- Affected devices:
- Affected manufacturers: all [bluebox-fakeid]
- Fixed versions: there is no single, specific “fixed” version of Android. In fact, multiple vendors are maintaining the same prior version number, and only patching the functionality. We have confirmed “fixed” versions existing within the ranges of 4.1, 4.2, 4.3, and 4.4 [bluebox-fakeid]
- Submission: by: Khilan Gudka, on: 2014-07-29; by: Daniel R. Thomas, on: 2014-09-09; by: Jeff Forristal, on: 2014-09-11
(json)
- CVE numbers: CVE-2011-2357 [watchfire-crossapp][archived]
- Coordinated disclosure?: true
- Categories: app
- Details: Android browser could be tricked into running javascript in the domain of a different app [watchfire-crossapp][archived]
- Discovered by: Roee Hay and Yair Amit of the IBM Rational Application Security Research Group [citation-needed] on: Unknown
- Reported on: 2011-07-31 [watchfire-crossapp][archived]
- Fixed on: 2011-06-20 [browser-fix]
- Fix released on: Unknown
- Affected versions: 2.3.4, 3.1 [watchfire-crossapp][archived] regex:
- Affected devices: all [citation-needed]
- Affected manufacturers: all [citation-needed]
- Fixed versions: 2.3.5, 3.2 [citation-needed]
- Submission: by: Roee Hay, on: 2015-10-15
(json)
- CVE numbers: CVE-2015-3837 [CVE-2015-3837], CVE-2015-3825 [woot15-paper-peles], ANDROID-21437603 [woot15-paper-peles], ANDROID-21583849 [woot15-paper-peles]
- Coordinated disclosure?: true
- Categories: system
- Details: This vulnerability allows for arbitrary code execution in the context of many apps and services and results in elevation of privileges. There is a Proof-of-Concept exploit against the Google Nexus 5 device, that achieves code execution inside the highly privileged system_server process, and then either replaces an existing arbitrary application on the device with our own malware app or changes the device’s SELinux policy. For some other devices, it is also possible to gain kernel code execution by loading an arbitrary kernel modules. This vulnerability was responsibly disclosed to the Android Security Team which tagged it as CVE-2015-3825 internally as ANDROID-21437603/ANDROID-21583849 and patched Android 4.4 / 5.x / M and Google Play Services. [woot15-paper-peles]
CVE-2015-3825 is the wrong CVE number (duplicate), CVE-2015-3837 should be used instead [CVE-2015-3825]
The OpenSSLX509Certificate class in org/conscrypt/OpenSSLX509Certificate.java in Android before 5.1.1 LMY48I improperly includes certain context data during serialization and deserialization, which allows attackers to execute arbitrary code via an application that sends a crafted Intent, aka internal bug 21437603. [CVE-2015-3837]
- Discovered by: Or Peles and Roee Hay {orpeles,roeeh}@il.ibm.com [woot15-paper-peles] on: 2015-05-22 [woot15-paper-peles]
- Reported on: 2015-06-01 [NexusSecurityBulletinAugust2015][archived]
- Fixed on: 2015-05-28 [OneClassPatch]
- Fix released on: 2015-08-05 [droid-life-5-1-1-lmy48i][archived]
- Affected versions: 4.3-5.1, M (Preview 1) [woot15-paper-peles] regex: (4.[0-3].[0-9])|(4.4.[0-4])|(5.0.[0-9])|(5.1.[0-1])
- Affected devices: all [citation-needed]
- Affected manufacturers: all [citation-needed]
- Fixed versions: 4.4, 5.x, M [woot15-paper-peles]
- Submission: by: Laurent Simon, on: 2015-08-10; by: Roee Hay, on: 2015-10-14
(json)
(json)
- CVE numbers:
- Coordinated disclosure?: false
- Categories:
- Details: Vulnerability affecting LG devices released between 2012 and 2014 [xda-developers-stumproot]
- Discovered by: thecubed [xda-developers-stumproot] on: Unknown
- Reported on: 2014-08-17 [xda-developers-stumproot]
- Fixed on: Unknown
- Fix released on: Unknown
- Affected versions: regex:
- Affected devices: Verizon LG G3, T-Mobile LG G3, AT&T LG G3, Sprint LG G3, D852G Videotron 10C, D852 Rogers 10B, D852 Bell 10B, Flex D959 TMobile, LG-D855, LG-D858, LG-D855, LG-D851, LG-F400L [xda-developers-stumproot]
- Affected manufacturers: LG [xda-developers-stumproot]
- Fixed versions:
- Submission: by: Daniel R. Thomas, on: 2016-03-18; by: Stephan Kollmann, on: 2015-10-14
(json)
- CVE numbers: CVE-2015-3636 [avs-test-pingpong][archived]
- Coordinated disclosure?: false
- Categories:
- Details: Wen Xu and wushi of KeenTeam discovered that users allowed to create ping sockets can use them to crash the system and, on 32-bit architectures, for privilege escalation. However, by default, no users on a Debian system have access to ping sockets. [dsa-3290]
- Discovered by: Wen Xu and wushi of KeenTeam [dsa-3290] on: Unknown
- Reported on: 2015-05-08 [xda-developers-pingpongroot]
- Fixed on: Unknown
- Fix released on: Unknown
- Affected versions: regex:
- Affected devices: Samsung Galaxy S6 Edge [xda-developers-pingpongroot], HTC One (M9) [xda-developers-pingpongroot], Samsung Galaxy S6 [xda-developers-pingpongroot]
- Affected manufacturers: Samsung [xda-developers-pingpongroot], HTC [xda-developers-pingpongroot]
- Fixed versions: 5.0.2,5.1.1 [xda-developers-pingpongroot]
- Submission: by: Daniel R. Thomas, on: 2016-03-18; by: Stephan Kollmann, on: 2015-10-14
(json)
- CVE numbers: CVE-2015-7888 [projectzero-489]
- Coordinated disclosure?: true
- Categories: system
- Details: A path traversal vulnerability was found in the WifiHs20UtilityService. This service is running on a Samsung S6 Edge device, and may be present on other Samsung device models. WifiHs20UtilityService reads any files placed in /sdcard/Download/cred.zip, and unzips this file into /data/bundle. Directory traversal in the path of the zipped contents allows an attacker to write a controlled file to an arbitrary path as the system user. [citation-needed]
- Discovered by: Mark Brand [projectzeroblog-huntinggalaxy] on: 2015-07-29 [citation-needed]
- Reported on: 2015-07-29 [citation-needed]
- Fixed on: 2015-10-22 [projectzero-489]
- Fix released on: Unknown
- Affected versions: regex:
- Affected devices: Samsung S6 Edge and may be present in other Samsung device models [projectzero-489]
- Affected manufacturers: Samsung [projectzero-489]
- Fixed versions:
- Submission: by: Daniel R. Thomas, on: 2016-03-18; by: Stephan Kollmann, on: 2015-10-14
(json)
(json)
