Site icon Check Point Blog

Threat Advisory – CVE-2014-7911: A New Root Exploit for Android

In late November, we sent a customer advisory and published a blog post regarding a new privilege escalation exploit that affects all versions of Android prior to 5.0 (Lollipop). We’d like to update you on the existence of two new Android exploits based on this vulnerability and that were published at the beginning of January.

This new Privilege Escalation vulnerability has recently been exploited in the wild by two rooting tools. At this time, this vulnerability is being exploited on two devices, the Sony Xperia Z3 and Z3C,  but it could be exploited on any device running a version of Android older than Lollipop.

How does the attack work?

There are several ways an attack based on this exploit could be implemented:

What are the consequences of an attack?

An attacker can use the vulnerability to do the following:

Which devices are affected?

This vulnerability is currently being exploited on two devices:

However, this vulnerability can be exploited on any device running an Android version older than Lollipop (Android 5.0).

How can enterprises minimize exposure?

Are Lacoon customers protected?

Yes. If an attack does occur, Lacoon will detect the exploitation of this vulnerability regardless of the device type.

Technical Overview

In Android versions older than 5.0 (Lollipop), java.io.ObjectInputStream does not validate whether the object that is being deserialized is actually serializable. This means that when ObjectInputStream is used on untrusted inputs, an attacker can initiate the creation of an instance of any class with a non-private parameterless constructor. All fields of that instance can be set to arbitrary values.

The malicious object will then typically either be ignored or cast to a type to which it doesn’t fit, implying that no methods will be called on it and no data from it will be used. However, when it is collected by the Garbage Collector, it will call the object’s finalize method.

The android system_service runs under UID 1000 and amongst other things (as mentioned above) can change into the context of any app and/or install new applications with arbitrary permissions. Apps can talk to it using Intents with attached bundles. Bundles are transferred as arraymap Parcels and arraymap Parcels can contain serialized data. This means that any app can attack the system_service this way.

By attacking the system_service in this way, an attacker can get permissions to install or remove applications and access any user/application data that the attacker wants to access.

More information

Exit mobile version