MyScript Android SDK Deserialization Code Execution

Aleph Research Advisory

Identifier

CVE-2015-2020

Severity

High

Product

MyScript

Vulnerable Version

Before version 1.3

Mitigation

Use version 1.3 or later.

Technical Details

The MyScript SDK for Android contains a Serializable class, with a ‘finalize’ method that later calls a native function with an attacker-controllabe pointer, eventually allowing for code execution by malicious apps.

Timeline

01-Mar-17
: Added as ALEPH-2015006.
10-Aug-15
: Public disclosure.

Credit

Or Peles (@peles_o)
Roee Hay (@roeehay) of Aleph Research, HCL Technologies

External References

"One Class to Rule Them All" (USENIX WOOT '15)
RSA USA '16
RSA APAC '16
OWASP AppSec IL '15