14 DAY TRIAL // A security risk in Android versions below 5.0 (Lollipop) could allow a potential attacker to bypass the ASLR defense and execute code of their choice.
The glitch touches on deserialization of input data and refers to java.io.ObjectInputStream’s unsuccessful check if an object is in fact serializable before reverting the process.
In the context of data storage, all objects are turned into a series of bytes (serialization) in order to save their current state to a persistent storage medium; the procedure can be reversed (deserialization) so that a clone of the object can be obtained.
The idea of checking for the glitch came from a presentation of deserialization flaws
A technical description of the bug has been provided by Jann Horn, the security researcher who discovered the flaw. He says that apps can communicate with system_service, which runs with admin privileges (UID 1000), using Intents with attached Bundles; these “are transferred as arraymap Parcels and arraymap Parcels can contain serialized data. This means that any app can attack the system_service this way,” the advisory says.
Horn thought about serialization in other contexts, such as Android, after hearing a talk about a vulnerability in a PHP web app involving deserialization of attacker-provided input data.
Based on the assumption that Java ensured that the classes used are serialized and that ObjectInputStream may receive untrusted inputs, he checked if the Android developers took the precaution to verify for deserialization possibility under this scenario. “Went home, checked, the vuln was there,” he writes in a thread about the bug on Reddit.
No exploit has been created
The researcher also developed a proof-of-concept that crashes system_service in order to demonstrate the issue. A full exploit has not been created and the test has been carried out on a Google Nexus 5 running Android 4.4.4. As such, Horn is not sure about how exploiting the weakness on vulnerable devices can be done.
Turning this method into a full root exploit cannot be done without leveraging another vulnerability, because the system UID is restricted from gaining root privileges.
Horn disclosed his finding to the Android development team on June 22 and during the following week he also produced the proof-of-concept and received an answer acknowledging the problem.
On November 3, a patch was delivered in Android Lollipop as part of the AOSP (Android Open Source Project) code release.
The researcher alleges that the checks implemented by the developers are quite efficient and other glitches should not be possible.