24/01/2016

Android privilege escalation to mediaserver from zero permissions (CVE-2014-7920 + CVE-2014-7921)

In this blog post we'll go over two vulnerabilities I discovered which, when combined, enable arbitrary code execution within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "mediaserver" process from any context, requiring no permissions whatsoever.

 

How bad is it?


The first vulnerability (CVE-2014-7921) was present in all Android version from 4.0.3 onwards. The second vulnerability (CVE-2014-7920) was present in all Android versions from 2.2 (!). Also, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se vulnerabilities are not vendor specific and were present in all Android devices. Since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first vulnerability is only needed to bypass ASLR, and ASLR is only present (in a meaningful form) from Android 4.1 onwards, this means that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se vulnerabilities allow code execution within "mediaserver" on any Android device starting from version 2.2.

Although I reported both vulnerabilities in mid October 2014, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were unfortunately only fixed much later (see "Timeline" for full description, below) - in Android version 5.1!  This means that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are many devices out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re which are still vulnerable to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se issues, so please take care.
 
You can find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 actual patches here. The patches were pushed to AOSP five months after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerabilities were reported.

That said, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Android security team was very pleasant to work with, and with ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r vulnerabilities I reported later on, were much more responsive and managed to solve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issues within a shorter time-frame.