Android <5.0 Privilege Escalation using ObjectInputStream (CVE-2014-7911)
Data de publicação: 08 outubro 2015
Schweregrad: : Alto
Data do informe: 08 outubro 2015
Descrição
This is one of the vulnerabilities used by the exploit kit, GiefRoot, which Retro Tetris, a malicious Android app downloads onto the device. The said malicious gaming app is published on Google Play that has the capability of rooting devices.
An attacker may cause an instance of any class with a non-private parameterless constructor to be created when the ObjectInputStream is used on untrusted inputs. In addition, an attacker may execute arbitrary code via a crafted finalize method for a serialized object in an ArrayMap Parcel within an intent sent to system_service.