CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2015-1474 – Google Android Integer Oveflow / Heap Corruption
https://notcve.org/view.php?id=CVE-2015-1474
Multiple integer overflows in the GraphicBuffer::unflatten function in platform/frameworks/native/libs/ui/GraphicBuffer.cpp in Android through 5.0 allow attackers to gain privileges or cause a denial of service (memory corruption) via vectors that trigger a large number of (1) file descriptors or (2) integer values. Múltiples desbordamientos de enteros en la función GraphicBuffer::unflatten en platform/frameworks/native/libs/ui/GraphicBuffer.cpp en Android hasta 5.0 permiten a atacantes ganar privilegios o causar una denegación de servicio (corrupción de memoria) a través de vectores que provocan un número grande de (1) descriptores de ficheros o (2) valores de enteros. Multiple integer overflows in the GraphicBuffer::unflatten function in platform/frameworks/native/libs/ui/GraphicBuffer.cpp in Android through 5.0 allow attackers to gain privileges or cause a denial of service (memory corruption) via vectors that trigger a large number of file descriptors or integer values. All versions below Lollipop 5.1 are affected. • http://packetstormsecurity.com/files/130778/Google-Android-Integer-Oveflow-Heap-Corruption.html http://seclists.org/fulldisclosure/2015/Mar/63 http://www.securityfocus.com/bid/72788 http://www.securitytracker.com/id/1031875 https://android.googlesource.com/platform/frameworks/native/+/38803268570f90e97452cd9a30ac831661829091 https://www.blackhat.com/docs/us-15/materials/us-15-Gong-Fuzzing-Android-System-Services-By-Binder-Call-To-Escalate-Privilege.pdf • CWE-189: Numeric Errors •
CVSS: 7.5EPSS: 5%CPEs: 8EXPL: 4CVE-2014-0997 – Android WiFi-Direct - Denial of Service
https://notcve.org/view.php?id=CVE-2014-0997
WiFiMonitor in Android 4.4.4 as used in the Nexus 5 and 4, Android 4.2.2 as used in the LG D806, Android 4.2.2 as used in the Samsung SM-T310, Android 4.1.2 as used in the Motorola RAZR HD, and potentially other unspecified Android releases before 5.0.1 and 5.0.2 does not properly handle exceptions, which allows remote attackers to cause a denial of service (reboot) via a crafted 802.11 probe response frame. WiFiMonitor en Android 4.4.4 tal y como se emplea en Nexus 5 y 4, Android 4.2.2 tal y como se emplea en LG D806, Android 4.2.2 tal y como se emplea en Samsung SM-T310, Android 4.1.2 tal y como se emplea en Motorola RAZR HD y potencialmente en otras distribuciones Android anteriores a la 5.0.1 y 5.0.2 no gestiona correctamente las excepciones. Esto permite que los atacantes remotos provoquen una denegación de servicio (reinicio) mediante un marco de respuesta de sonda 802.11. • https://www.exploit-db.com/exploits/35913 http://packetstormsecurity.com/files/130107/Android-WiFi-Direct-Denial-Of-Service.html http://seclists.org/fulldisclosure/2015/Jan/104 http://www.securityfocus.com/archive/1/534544/100/0/threaded http://www.securityfocus.com/bid/72311 https://www.coresecurity.com/advisories/android-wifi-direct-denial-service • CWE-19: Data Processing Errors •
CVSS: 7.2EPSS: 0%CPEs: 45EXPL: 3CVE-2014-7911 – Android CVE-2014-7911 / CVE-2014-4322 Local Exploit
https://notcve.org/view.php?id=CVE-2014-7911
luni/src/main/java/java/io/ObjectInputStream.java in the java.io.ObjectInputStream implementation in Android before 5.0.0 does not verify that deserialization will result in an object that met the requirements for serialization, which allows attackers to execute arbitrary code via a crafted finalize method for a serialized object in an ArrayMap Parcel within an intent sent to system_service, as demonstrated by the finalize method of android.os.BinderProxy, aka Bug 15874291. luni/src/main/java/java/io/ObjectInputStream.java en la implementación java.io.ObjectInputStream en Android anterior a 5.0.0 no verifica que la deserialización resultará en un objeto que reunió los requisitos para la serialización, lo que permite a atacantes ejecutar código arbitrario a través de un método de finalizar para un objeto serializado en un paquete ArrayMap dentor de un intento enviado a system_service, tal y como fue demostrado por el método de finalizar de android.os.BinderProxy, también conocido como Bug 15874291. • https://github.com/ele7enxxh/CVE-2014-7911 https://github.com/koozxcv/CVE-2014-7911-CVE-2014-4322_get_root_privilege https://github.com/koozxcv/CVE-2014-7911 http://seclists.org/fulldisclosure/2014/Nov/51 https://android.googlesource.com/platform/libcore/+/738c833d38d41f8f76eb7e77ab39add82b1ae1e2 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 45EXPL: 4CVE-2014-8507 – Android WAPPushManager - SQL Injection
https://notcve.org/view.php?id=CVE-2014-8507
Multiple SQL injection vulnerabilities in the queryLastApp method in packages/WAPPushManager/src/com/android/smspush/WapPushManager.java in the WAPPushManager module in Android before 5.0.0 allow remote attackers to execute arbitrary SQL commands, and consequently launch an activity or service, via the (1) wapAppId or (2) contentType field of a PDU for a malformed WAPPush message, aka Bug 17969135. Múltiples vulnerabilidades de inyección SQL en el método queryLastApp en packages/WAPPushManager/src/com/android/smspush/WapPushManager.java en el módulo WAPPushManager en Android anterior a 5.0.0 permiten a atacantes remotos ejecutar comandos SQL arbitrarios, y como consecuencia lanzar una actividad o servicio, a través del campo (1) wapAppId o (2) contentType de un PDU para un mensaje WAPPush malformado, también conocido como Bug 17969135. • https://www.exploit-db.com/exploits/35382 http://packetstormsecurity.com/files/129283/Android-WAPPushManager-SQL-Injection.html http://seclists.org/fulldisclosure/2014/Nov/86 http://www.securityfocus.com/bid/71310 http://xteam.baidu.com/?p=167 https://android.googlesource.com/platform/frameworks/base/+/48ed835468c6235905459e6ef7df032baf3e4df6 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 3.3EPSS: 0%CPEs: 45EXPL: 4CVE-2014-8610 – Android SMS Resend
https://notcve.org/view.php?id=CVE-2014-8610
AndroidManifest.xml in Android before 5.0.0 does not require the SEND_SMS permission for the SmsReceiver receiver, which allows attackers to send stored SMS messages, and consequently transmit arbitrary new draft SMS messages or trigger additional per-message charges from a network operator for old messages, via a crafted application that broadcasts an intent with the com.android.mms.transaction.MESSAGE_SENT action, aka Bug 17671795. AndroidManifest.xml en Android anterior a 5.0.0 no requiere el permiso SEND_SMS para el recibidor SmsReceiver, lo que permite a atacantes remotos enviar mensajes SMS almacenados, y como consecuencia trasmitir nuevos mensajes SMS del borrador o provocar adicionales cobros por mensajes de un operador de la red para mensajes viejos, a través de una aplicación manipulada que emite un intento con la acción com.android.mms.transaction.MESSAGE_SENT, también conocido como Bug 17671795. Android versions prior to 5.0 allow an unprivileged application the ability to resend all the SMS's stored in the users phone. • http://packetstormsecurity.com/files/129282/Android-SMS-Resend.html http://seclists.org/fulldisclosure/2014/Dec/8 http://seclists.org/fulldisclosure/2014/Nov/85 http://xteam.baidu.com/?p=164 https://android.googlesource.com/platform/packages/apps/Mms/+/008d6202fca4002a7dfe333f22377faa73585c67 https://github.com/joswr1ght/drozer-modules/blob/master/whfs/smsdraftsend.py • CWE-264: Permissions, Privileges, and Access Controls •