CVE-2018-14997

The Leagoo P1 Android device with a build fingerprint of sp7731c1h1032v4bird:6.0/MRA58K/android.20170629.214736:user/release-keys contains the android framework i.e., systemserver with a package name of android that has been modified by Leagoo or another entity in the supply chain. The systemserv...

CVE-2018-14997

CVE-2018-14997 concerns a modified Leagoo P1 Android build where the system_server in the core Android package exposes an exported broadcast receiver that lets apps on the device take a screenshot and save it to external storage. The vulnerability arises from this capability being accessible to a...

CVE-2018-14983

The CVE concerns Sony Xperia L1 devices running Android 7.0 (build Sony/G3313/G3313:7.0/43.0.A.6.49/2867558199) where the system_server in the core android package includes an exported broadcast receiver that lets apps on the device trigger a screenshot to be saved to external storage. This behav...

CVE-2018-14980

The ASUS ZenFone 3 Max Android device with a build fingerprint of asus/USPhone/ASUSX0081:7.0/NRD90M/USPhone-14.14.1711.92-20171208:user/release-keys contains the android framework i.e., systemserver with a package name of android versionCode=24, versionName=7.0 that has been modified by ASUS or...

CVE-2018-14980

The CVE-2018-14980 entries describe an Android framework issue on ASUS ZenFone 3 Max (ASUS_X008) running Android 7.0 NRD90M with a modified system_server that exports a broadcast receiver in the core android package. This receiver allows any locally co-located app to programmatically trigger a sc...

CVE-2019-1988

In sample6 of SkSwizzler.cpp, there is a possible out of bounds write due to improper input validation. This could lead to remote code execution in systemserver with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-8.0...

CVE-2019-1986

In SkSwizzler::onSetSampleX of SkSwizzler.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege in systemserver with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android...

CVE-2019-1986

In SkSwizzler::onSetSampleX of SkSwizzler.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege in systemserver with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android...

Input validation

In sample6 of SkSwizzler.cpp, there is a possible out of bounds write due to improper input validation. This could lead to remote code execution in systemserver with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-8.0...

CVE-2019-1988

In sample6 of SkSwizzler.cpp, there is a possible out of bounds write due to improper input validation. This could lead to remote code execution in systemserver with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-8.0...

CVE-2019-1988

CVE-2019-1988 affects Android Framework related to a vulnerability in PNG handling. In SkSwizzler.cpp, a possible out-of-bounds write due to improper input validation could lead to remote code execution in the system_server, requiring user interaction to exploit. Affected Android versions include...

Android Kernel < 4.8 - ptrace seccomp Filter Bypass Exploit

/ The seccomp.2 manpage http://man7.org/linux/man-pages/man2/seccomp.2.html documents: Before kernel 4.8, the seccomp check will not be run again after the tracer is notified. This means that, on older ker‐ nels, seccomp-based sandboxes must not allow use of ptrace2—even of other sandboxed...

Android Kernel &lt; 4.8 - ptrace seccomp Filter Bypass

/ The seccomp.2 manpage http://man7.org/linux/man-pages/man2/seccomp.2.html documents: Before kernel 4.8, the seccomp check will not be run again after the tracer is notified. This means that, on older ker‐ nels, seccomp-based sandboxes must not allow use of ptrace2—even of other sandboxed...

CVE-2019-1988

In sample6 of SkSwizzler.cpp, there is a possible out of bounds write due to improper input validation. This could lead to remote code execution in systemserver with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-8.0...

Android - zygote-init; Chain from USB Privilege Escalation

Android - zygote-init; Chain from USB Privilege Escalation After reporting https://bugs.chromium.org/p/project-zero/issues/detail?id=1583 Android ID 80436257, CVE-2018-9445, I discovered that this issue could also be used to inject code into the context of the zygote. Additionally, I discovered a...

Android - Hardware Service Manager Arbitrary Service Replacement due to getpidcon Exploit

Exploit for Android platform in category dos / poc This bug is similar to Jann Horn's issue https://bugs.chromium.org/p/project-zero/issues/detail?id=851 -- credit should go to him. The hardware service manager allows the registration of HAL services. These services are used by the vendor domain...

Android - Hardware Service Manager Arbitrary Service Replacement due to getpidcon

This bug is similar to Jann Horn's issue https://bugs.chromium.org/p/project-zero/issues/detail?id=851 -- credit should go to him. The hardware service manager allows the registration of HAL services. These services are used by the vendor domain and other core processes, including systemserver,...

Android: Ashmem race conditions in android.util.MemoryIntArray (CVE-2017-0412)

The MemoryIntArray class allows processes to share an in-memory array of integers by transferring an ashmem file descriptor. As the class implements the Parcelable interface, it can be passed within a Parcel or a Bundle and transferred via binder to remote processes. Instead of directly tracking...

Android: pointer leak via insufficient binder message verification

When frameworks/native/libs/binder/Parcel.cpp reads e.g. a string from a parcel, it does not verify that the string doesn't overlap with any byte range that was tagged as a binder object by the sender. When an attacker sends a parcel to a victim process that contains an unexpected binder handle...

Google Android - android.util.MemoryIntArray Ashmem Race Conditions Vulnerability

Exploit for Android platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1002 The MemoryIntArray class allows processes to share an in-memory array of integers by transferring an ashmem file descriptor. As the class implements the Parcelable interface, ...