Jumio Android SDK Deserialization Code Execution

Aleph Research Advisory

Identifier

CVE-2015-2000

Severity

High

Product

Jumio SDK

Vulnerable Version

Before 1.5.0

Mitigation

Use version 1.5.0 or later.

Technical Details

The Jumio SDK for Android contains a Serializable class, with a ‘finalize’ method that later calls a native function with an attacker-controllabe pointer, eventually allowing for code execution by malicious apps.

Timeline

01-Mar-17
: Added as ALEPH-2015001.
10-Aug-15
: Public disclosure.

Credit

Or Peles (@peles_o)
Roee Hay (@roeehay) of Aleph Research, HCL Technologies

External References

"One Class to Rule Them All" (USENIX WOOT '15)
RSA USA '16
RSA APAC '16
OWASP AppSec IL '15