There is a vulnerability in Android versions below 5.0 that could allow an attacker to bypass ASLR and run arbitrary code on a target device under certain circumstances. The bug was fixed in Lollipop, the newest version of the mobile OS, released earlier this week.
The vulnerability lies in java.io.ObjectInputStream, which fails to check whether an object that is being deserialized is actually a serialized object. Security researcher Jann Horn discovered the vulnerability and reported it to Google earlier this year.
“This means that when ObjectInputStream is used on untrusted inputs, an attacker can cause an instance of any class with a non-private parameterless constructor to be created. All fields of that instance can be set to arbitrary values. The malicious object will then typically either be ignored or cast to a type to which it doesn’t fit, implying that no methods will be called on it and no data from it will be used. However, when it is collected by the GC, the GC will call the object’s finalize method,” the security advisory from Horn says.
“The class android.os.BinderProxy contains a finalize method that calls into native code. This native code will then use the values of two fields of type int/long (depends on the Android version), cast them to pointers and follow them. On Android 4.4.3, this is where one of those pointers ends up. r0 contains the attacker-supplied pointer, and if the attacker can insert data into the process at a known address, he ends up gaining arbitrary code execution in system_server.”
Horn said via email that the exploitability of the vulnerability is difficult to judge.
“An attacker would need to get a malicious app onto the device in order for this to work. The app would need no permissions,” he said. “However, I don’t have a full exploit for this issue, just the crash PoC, and I’m not entirely sure about how predictable the address layout of the system_server really is or how easy it is to write a large amount of data into system_server’s heap (in order to make less accurate guesses for the memory position work). It might be necessary to crash system_server once in order to make its memory layout more predictable for a short amount of time, in which case the user would be able to notice the attack, but I don’t think that’s likely.”
Android vulnerabilities can be especially problematic for users because of the way that the update cycle works. Carriers are responsible for providing updates to users but many of them are very slow to do so and users often will got through several years without a single security update to their device.