Attacker Value
Moderate
(3 users assessed)
Exploitability
Low
(3 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
1

CVE-2019-2215

Disclosure Date: October 11, 2019
Exploited in the Wild
Reported by gwillcox-r7
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel. No user interaction is required to exploit this vulnerability, however exploitation does require either the installation of a malicious local application or a separate vulnerability in a network facing application.Product: AndroidAndroid ID: A-141720095

Add Assessment

2
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very Low
Technical Analysis

There is a working proof of concept available for some devices.

1
Ratings
Technical Analysis

As a privilege escalation does still need an initial vector onto the phone, so requires either another exploit or additional tradecraft. This is unlikely to work in conjunction with a Chrome exploit today because many phones run a 64-bit kernel + 32-bit Chrome, perhaps for this very reason!.

After testing the Metasploit module it took a considerable amount of specific targeting effort to get just the right model, and because the phone has a feature/bug that made it difficult to downgrade firmware (and the phone likes to upgrade on its own very easily), targeting this after disclosure may be very difficult.

However, if you can find this bug or a similar one on a common phone that is past applying security updates, it could be useful for privesc from a malicious app. But I think the issue that plagues a lot of Android binary exploitation vulns is the lack of generality and there being lower-hanging fruit.

1
Technical Analysis

Reported as exploited in the wild as part of Google’s 2020 0day vulnerability spreadsheet they made available at https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786. Original tweet announcing this spreadsheet with the 2020 findings can be found at https://twitter.com/maddiestone/status/1329837665378725888

General Information

Products

  • Android
Technical Analysis