A new critical flaw affects Android OS except Lollipop

The security researcher Jann Horn discovered a privilege escalation flaw that affects Android OS devices except the Lollipop version.

A critical vulnerability affects the Android OS versions prior to 5.0 that could be exploited by an attacker to bypass ASLR and run arbitrary code on a target device under specific conditions. The vulnerability was fixed in the latest version of the Google mobile OS, the Lollipop version released earlier this week.

The vulnerability resides in java.io.ObjectInputStream that fails to check that the class of an object being deserialized is still conformed the requirements for serializations.

The flaw was discovered by the security researcher Jann Horn that reported it to Google earlier this year.

“This means that when ObjectInputStream is used on untrusted inputs, an attacker can cause an instance of any class with a non-private parameterless constructor to be created. All fields of that instance can be set to arbitrary values. The malicious object will then typically either be ignored or cast to a type to which it doesn’t fit, implying that no methods will be called on it and no data from it will be used. However, when it is collected by the GC, the GC will call the object’s finalize method,” states the security advisory from Horn says.

“The class android.os.BinderProxy contains a finalize method that calls into native code. This native code will then use the values of two fields of type int/long (depends on the Android version), cast them to pointers and follow them. On Android 4.4.3, this is where one of those pointers ends up. r0 contains the attacker-supplied pointer, and if the attacker can insert data into the process at a known address, he ends up gaining arbitrary code execution in system_server.”

According to the security experts is very difficult to rate the exploitability of the flaw in the Android OS.

“An attacker would need to get a malicious app onto the device in order for this to work. The app would need no permissions,” he said. “However, I don’t have a full exploit for this issue, just the crash PoC, and I’m not entirely sure about how predictable the address layout of the system_server really is or how easy it is to write a large amount of data into system_server’s heap (in order to make less accurate guesses for the memory position work). It might be necessary to crash system_server once in order to make its memory layout more predictable for a short amount of time, in which case the user would be able to notice the attack, but I don’t think that’s likely.”

The number of cyber attacks against Android OS based mobile devices is rapidly increasing and the presence of such vulnerabilities represents an element of concern for security experts.  The patch management appears very complicated in some cases for mobile platforms because carriers are responsible for providing updates to end users, but the process is often slow leaving users exposed to cyber threats for long periods.

Pierluigi Paganini

(Security Affairs –  Android OS, mobile)