Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com

CVE-2015-3837

Description

The OpenSSLX509Certificate class in org/conscrypt/OpenSSLX509Certificate.java in Android before 5.1.1 LMY48I improperly includes certain context data during serialization and deserialization, which allows attackers to execute arbitrary code via an application that sends a crafted Intent, aka internal bug 21437603.

POC

Reference

- https://groups.google.com/forum/message/raw?msg=android-security-updates/Ugvu3fi6RQM/yzJvoTVrIQAJ

Github

- https://github.com/ARPSyndicate/cvemon

- https://github.com/PalindromeLabs/Java-Deserialization-CVEs

- https://github.com/chnzzh/OpenSSL-CVE-lib

- https://github.com/itibs/IsildursBane

- https://github.com/leoambrus/CheckersNomisec

- https://github.com/roeeh/conscryptchecker