Back To Schedule
Tuesday, October 13 • 16:00 - 16:30
One Class to Rule Them All: Deserialization Vulnerabilities in Android

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

The first is in the Android Platform and Google Play Services. The Platform instance affects Android 4.3-5.1, M (Preview 1) or 55% of Android devices at the time of writing. This vulnerability allows for arbitrary code execution in the context of many apps and services and results in elevation of privileges. In this talk we also demonstrate a Proof-of-Concept exploit against the Google Nexus 5 device, that achieves code execution inside the highly privileged system_server process, and then either replaces an existing arbitrary application on the device with our own malware app or changes the device’s SELinux policy. For some other devices, we are also able to gain kernel code execution by loading an arbitrary kernel module. We had responsibly disclosed the vulnerability to Android Security Team which tagged it as CVE-2015-3825 (internally as ANDROID-21437603/21583894) and patched Android 4.4 / 5.x / M and Google Play Services.

For the sake of completeness we also made a large scale experiment over 32,701 of Android applications, finding similar deserialization vulnerabilities, identified by CVE-2015-2000/1/2/3/4/20, in 6 SDKs affecting multiple apps. We responsibly (privately) contacted the SDKs’ vendors or code maintainers so they would provide patches. Further analysis showed that many of the SDKs were vulnerable due to weak code generated by SWIG, an interoperability tool that connects C/C++ with variety of languages, when fed with some bad configuration given by the developer. We therefore worked closely with the SWIG team to make sure it would generate more robust code — patches are available.


Roee Hay

IBM Security
Roee leads the X-Force Application Security Research Team at IBM Security. His team focuses on discovering new vulnerabilities and attacks. In recent years, his team has discovered several high severity vulnerabilities in the Android Platform and SDKs.

Tuesday October 13, 2015 16:00 - 16:30 IDT
Main Auditorium
  Track 1

Attendees (1)