MetaIO Android SDK Deserialization Code Execution

Aleph Research Advisory

Identifier

CVE-2015-2001

Severity

High

Product

MetaIO SDK

Vulnerable Version

Before 6.0.2.1

Mitigation

Use version 6.0.2.1 or later.

Technical Details

The MetaIO SDK for Android contains a Serializable class, with a ‘finalize’ method that later calls a native function with an attacker-controllabe pointer, eventually allowing for code execution by malicious apps.

Timeline

01-Mar-17
: Added as ALEPH-2015002.
10-Aug-15
: Public disclosure.

Credit

Or Peles (@peles_o)
Roee Hay (@roeehay) of Aleph Research, HCL Technologies

External References

"One Class to Rule Them All" (USENIX WOOT '15)
RSA USA '16
RSA APAC '16
OWASP AppSec IL '15