Android OpenSSLX509Certificate Deserialization Code Execution

Aleph Research Advisory

Identifier

CVE-2015-3837

Severity

High

Product

Android

Vulnerable Version

Android 4.3 - 5.1

Mitigation

Apply patches

Technical Details

OpenSSLX509Certificate is a Serializable class. It contains a ‘finalize’ method that later calls a native function with an attacker-controllabe pointer, eventually allowing for code execution by malicious apps. Since this class is part of the Android framework, this vulnerability allows for code execution in services with high privileges, such as system_server.

Timeline

01-Mar-17
: Added as ALEPH-2015000.
10-Aug-15
: Public disclosure.

Credit

Or Peles (@peles_o)
Roee Hay (@roeehay) of Aleph Research, HCL Technologies

External References

"One Class to Rule Them All" (USENIX WOOT '15)
RSA USA '16
RSA APAC '16
OWASP AppSec IL '15