<--

esri ArcGis Android SDK Deserialization Code Execution

Aleph Research Advisory

Identifier

CVE-2015-2002

Severity

High

Product

esri ArcGis

Vulnerable Version

Before version 10.2.6-2

Mitigation

Use version 10.2.6-2 or later.

Technical Details

The esri ArcGis SDK for Android contains a Serializable class, with a ‘finalize’ method that later calls a native function with an attacker-controllabe pointer, eventually allowing for code execution by malicious apps.

Timeline

Credit

External References

  1. "One Class to Rule Them All" (USENIX WOOT '15)
  2. RSA USA '16
  3. RSA APAC '16
  4. OWASP AppSec IL '15