GraceNote GNSDK Android SDK Deserialization Code Execution

Aleph Research Advisory

Identifier

CVE-2015-2004

Severity

High

Product

GraceNote GNSDK

Vulnerable Version

Before version 1.1.7

Mitigation

Use SVN Changeset 1.1.7 or later.

Technical Details

The GraceNote GNSDK SDK for Android contains a Serializable class, with a ‘finalize’ method that later calls a native function with an attacker-controllabe pointer, eventually allowing for code execution by malicious apps.

Timeline

01-Mar-17
: Added as ALEPH-2015005.
10-Aug-15
: Public disclosure.

Credit

Or Peles (@peles_o)
Roee Hay (@roeehay) of Aleph Research, HCL Technologies

External References

"One Class to Rule Them All" (USENIX WOOT '15)
RSA USA '16
RSA APAC '16
OWASP AppSec IL '15