PJSIP PJSUA2 Android SDK Deserialization Code Execution

Aleph Research Advisory

Identifier

CVE-2015-2003

Severity

High

Product

PJSIP PJSUA2

Vulnerable Version

Before SVN Changeset 5132

Mitigation

Use SVN Changeset 51322 or later.

Technical Details

The PJSIP PJSUA2 SDK for Android contains a Serializable class, with a ‘finalize’ method that later calls a native function with an attacker-controllabe pointer, eventually allowing for code execution by malicious apps.

Timeline

01-Mar-17
: Added as ALEPH-2015004.
10-Aug-15
: Public disclosure.

Credit

Or Peles (@peles_o)
Roee Hay (@roeehay) of Aleph Research, HCL Technologies

External References

"One Class to Rule Them All" (USENIX WOOT '15)
RSA USA '16
RSA APAC '16
OWASP AppSec IL '15