<--

MyScript Android SDK Deserialization Code Execution

Aleph Research Advisory

Identifier

CVE-2015-2020

Severity

High

Product

MyScript

Vulnerable Version

Before version 1.3

Mitigation

Use version 1.3 or later.

Technical Details

The MyScript SDK for Android contains a Serializable class, with a ‘finalize’ method that later calls a native function with an attacker-controllabe pointer, eventually allowing for code execution by malicious apps.

Timeline

Credit

External References

  1. "One Class to Rule Them All" (USENIX WOOT '15)
  2. RSA USA '16
  3. RSA APAC '16
  4. OWASP AppSec IL '15