One Class to Rule Them All: Deserialization Vulnerabilities in Android presented at OWASPAppSecIsrael 2015

by Roee Hay,

Summary : The first is in the Android Platform and Google Play Services. The Platform instance affects Android 4.3-5.1, M (Preview 1) or 55% of Android devices at the time of writing. This vulnerability allows for arbitrary code execution in the context of many apps and services and results in elevation of privileges. In this talk we also demonstrate a Proof-of-Concept exploit against the Google Nexus 5 device, that achieves code execution inside the highly privileged system_server process, and then either replaces an existing arbitrary application on the device with our own malware app or changes the device’s SELinux policy. For some other devices, we are also able to gain kernel code execution by loading an arbitrary kernel module. We had responsibly disclosed the vulnerability to Android Security Team which tagged it as CVE-2015-3825 (internally as ANDROID-21437603/21583894) and patched Android 4.4 / 5.x / M and Google Play Services.
For the sake of completeness we also made a large scale experiment over 32,701 of Android applications, finding similar deserialization vulnerabilities, identified by CVE-2015-2000/1/2/3/4/20, in 6 SDKs affecting multiple apps. We responsibly (privately) contacted the SDKs’ vendors or code maintainers so they would provide patches. Further analysis showed that many of the SDKs were vulnerable due to weak code generated by SWIG, an interoperability tool that connects C/C++ with variety of languages, when fed with some bad configuration given by the developer. We therefore worked closely with the SWIG team to make sure it would generate more robust code — patches are available.