Moderate
CVE-2019-2215
CVE-2019-2215
Description
A use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel. No user interaction is required to exploit this vulnerability, however exploitation does require either the installation of a malicious local application or a separate vulnerability in a network facing application.Product: AndroidAndroid ID: A-141720095
Add Assessment
Technical Analysis
As a privilege escalation does still need an initial vector onto the phone, so requires either another exploit or additional tradecraft. This is unlikely to work in conjunction with a Chrome exploit today because many phones run a 64-bit kernel + 32-bit Chrome, perhaps for this very reason!.
After testing the Metasploit module it took a considerable amount of specific targeting effort to get just the right model, and because the phone has a feature/bug that made it difficult to downgrade firmware (and the phone likes to upgrade on its own very easily), targeting this after disclosure may be very difficult.
However, if you can find this bug or a similar one on a common phone that is past applying security updates, it could be useful for privesc from a malicious app. But I think the issue that plagues a lot of Android binary exploitation vulns is the lack of generality and there being lower-hanging fruit.
Technical Analysis
Reported as exploited in the wild as part of Google’s 2020 0day vulnerability spreadsheet they made available at https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786. Original tweet announcing this spreadsheet with the 2020 findings can be found at https://twitter.com/maddiestone/status/1329837665378725888
CVSS V3 Severity and Metrics
General Information
Products
- a220 firmware
- a320 firmware
- a800 firmware
- aff baseboard management controller firmware
- alp al00b firmware
- alp tl00b firmware
- android
- anne al00 firmware
- ares al00b firmware
- ares al10d firmware
- ares tl00chw firmware
- barca al00 firmware
- berkeley l09 firmware
- berkeley tl10 firmware
- bla al00b firmware
- bla l29c firmware
- bla tl00b firmware
- c190 firmware
- cloud backup
- columbia al00a firmware
- columbia l29d firmware
- cornell tl10b firmware
- data availability services
- debian linux 8.0
- duke l09i firmware
- dura al00a firmware
- fas2720 firmware
- fas2750 firmware
- figo al00a firmware
- florida al20b firmware
- florida l03 firmware
- florida l21 firmware
- florida l22 firmware
- florida tl10b firmware
- h300s firmware
- h410c firmware
- h410s firmware
- h500s firmware
- h610s firmware
- h700s firmware
- hci management node
- honor 9i firmware
- honor view 20 firmware
- jakarta al00a firmware
- johnson tl00d firmware
- leland al10b firmware
- leland l21a firmware
- leland l32a firmware
- leland tl10b firmware
- leland tl10c firmware
- lelandp al00c firmware
- lelandp l22c firmware
- mate rs firmware 9.1.0.321(c786e320r1p1t8)
- neo al00d firmware
- nova 2s firmware
- nova 3 firmware
- nova 3e firmware
- p20 firmware
- p20 lite firmware
- princeton al10b firmware
- rhone al00 firmware
- service processor
- solidfire
- solidfire baseboard management controller firmware
- stanford l09 firmware
- stanford l09s firmware
- steelstore cloud integrated storage
- sydney al00 firmware
- sydney tl00 firmware
- sydneym al00 firmware
- tony al00b firmware
- tony tl00b firmware
- ubuntu linux 16.04
- y9 2019 firmware
- yale al00a firmware
- yale l21a firmware
- yale tl00b firmware
Metasploit Modules
Exploited in the Wild
References
Advisory
