A security loophole in Android mobile operating system below 5.0 versions puts every Android device at risk for privilege escalation attacks. The vulnerability has been patched in the latest version Android 5.0 Lollipop.
Android 5.0 Lollipop is the latest Android operating system by Tech Giant Google. Google describe Lollipop 5.0 as “the largest Android release yet,” with more than 5 Thousands new APIs. But Lollipop users are warned not to immediately upgrade their mobile Operating System, after experiencing device slowdowns, broken apps and repeated crashes.
The Vulnerability (CVE-2014-7911) which was discovered by a Jann Horn ( security researcher ), could allow any notorious hacker to bypass the Address Space Layout Randomization (ASLR) defense and execute arbitrary code of their choice on a target Android device under certain circumstances. ASLR Address Space Layout Randomization is a technique involved in protection from buffer overflow attacks. The security vulnerability resides in java.io.ObjectInputStream, which fails to check whether an Object that is being deserialized is actually a serializable object. The loophole was reported by the security researcher to Google earlier this year.
According to the Jann, android applications can communicate with system_service, which runs under administrator privileges (UID 1000) and using Intents with the attached Bundles, these are “transferred as arraymap Parcels and arraymap Parcels can contain serialized data,”. This way any android app can attack the system_service. After listing a talk at a university about a bug in a PHP web app involving deserialization of attacker-provided input data, Security Researcher thought about serialization in other contexts, such as Android Mobile operating system. Based on the assumption that Java ensures that the classes used are actually serialized and that ObjectInputStream may sometimes receive untrusted inputs, he figured out if the Android developers took the precaution to verify for deserialization possibility under this scenario. “Went home, checked, the [vulnerability] was there,” Horn writes in a thread about the security vulnerability on forum in Reddit.
“When ObjectInputStream is used on untrusted inputs, an attacker can cause an instance of any class with a non-private parameterless constructor to be created,” the security advisory from Horn says. “All fields of that instance can be set to arbitrary values.”
“The malicious object will then typically either be ignored or cast to a type to which it doesn’t fit, implying that no methods will be called on it and no data from it will be used. However, when it is collected by the GC, the GC will call the object’s finalize method.”
In order to explain the issue, he has provided technical details and also developed a proof-of-concept (PoC) that crashes system_service. Till now, a full exploit of the bug has not been created and also Horn is not entirely sure about how predictable the address layout of the system_server really is or how easy it is to write a large amount of data into system_server’s heap. However, in order to exploit this vulnerability on a vulnerable device, one need to get a malicious app onto the target device.
Horn disclosed the security bug to Android development team on June 22 and after addressing the bug, on November 3, a patch was delivered in Android Lollipop as part of the AOSP (Android Open Source Project) code release, but lower versions of Android OS are still vulnerable.