7.2
CVSSv2

CVE-2014-7911

Published: 15/12/2014 Updated: 16/12/2014
CVSS v2 Base Score: 7.2 | Impact Score: 10 | Exploitability Score: 3.9
VMScore: 646
Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

luni/src/main/java/java/io/ObjectInputStream.java in the java.io.ObjectInputStream implementation in Android prior to 5.0.0 does not verify that deserialization will result in an object that met the requirements for serialization, which allows malicious users to execute arbitrary code via a crafted finalize method for a serialized object in an ArrayMap Parcel within an intent sent to system_service, as demonstrated by the finalize method of android.os.BinderProxy, aka Bug 15874291.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

google android 2.2

google android 2.2.1

google android 2.2.2

google android 2.2.3

google android 3.2.2

google android 3.2.4

google android 3.2.6

google android 4.0

google android 4.4.1

google android 4.4.2

google android 4.4.3

google android

google android 2.0.1

google android 2.3

google android 2.3.1

google android 3.0

google android 3.2

google android 4.0.2

google android 4.0.4

google android 4.2.2

google android 4.3.1

google android 1.0

google android 1.1

google android 1.5

google android 1.6

google android 2.3.3

google android 2.3.4

google android 2.3.5

google android 2.3.6

google android 2.3.7

google android 4.1

google android 4.1.2

google android 4.2

google android 4.2.1

google android 2.0

google android 2.1

google android 2.3.2

google android 3.1

google android 3.2.1

google android 4.0.1

google android 4.0.3

google android 4.3

google android 4.4

Mailing Lists

Multiple integer overflows in the GraphicBuffer::unflatten function in platform/frameworks/native/libs/ui/GraphicBuffercpp in Android through 50 allow attackers to gain privileges or cause a denial of service (memory corruption) via vectors that trigger a large number of file descriptors or integer values All versions below Lollipop 51 are affe ...

Github Repositories

CVE-2014-7911 vulnerability and CVE-2014-4322 vulnerability to get root privilege!

CVE-2014-7911_poc Local root exploit for Nexus5 Android 444(KTU8P) author: andy website: blogcsdnnet/koozxcv how to build Import the project into eclipse,and build bug info seclistsorg/fulldisclosure/2014/Nov/51 analysis researchcenterpaloaltonetworkscom/2015/01/cve-2014-7911-deep-dive-analysis-android-system-service-vulnerability-exploitation

exploit for cve-2014-7911; android; java deserialization ;system privilege;ace;

cve-2014-7911-exp exploit for cve-2014-7911; android; java deserialization ;system privilege;ace; This exp refers to retme7's exp,but the rop chain is different And the most important part is Chunk Spray Hope it will help #environment device:nexus5 os version:Android444

POC of CVE-2014-7911

CVE-2014-7911 POC for CVE-2014-7911 for Nexus5 Android 444_r1 based on retme7 and auo, use different rop chain #Info Usage launch this poc, click the “CVE-2014-7911” button, you will see a pwntxt created by system user in /data:

exp for cve-2014-7911 which can get system privillage

cve-2014-7911 Exp for cve-2014-7911 which can get system privillage, based on most of the codes of others but different gadget install the apk and click the button system server will restart will write system id(100) into /data/1txt

Local root exploit for Nexus5 Android 4.4.4(KTU84P)

CVE-2014-7911_poc Local root exploit for Nexus5 Android 444(KTU8P) author: retme (retme7@gmailcom) @returnsme on twitter & @retme on weibo website: retmenet how to build Import the project into eclipse,and build /cve20147911/assets/msmattack is the binary file of CVE-2014-4322 exploitYou can find it here: githubcom/retme7/CVE-2014-4322_poc bug info htt

CVE-2014-7911 POC for CVE-2014-7911 for Nexus5 Android 444_r1 based on retme7, use different rop chain #Info ele7enxxhcom/CVE-2014-7911-Detailed-Analysis-Of-Android-Local-Privilege-Escalation-To-System-Vulnerabilityhtml Usage connect your phone via adb adb push jni/expolit /data/local/tmp adb logcat | grep auo_ lunch this poc, click the “CVE-2014-7911” b

A collection of awesome things for me.

Awesome Luob A collection of awesome things Automatically generated by Create My Awesome ANTLR ASL ASP ActionScript AngelScript Assembly Batchfile Brainfuck C C# C++ CMake CSS Clojure CoffeeScript Common Lisp Crystal Cuda D Dart Emacs Lisp F# GLSL Go HLSL HTML Handlebars Haskell Haxe HolyC Java JavaScript Jsonnet Jupyter Notebook Kotlin LLVM Less Lua MATLAB Makefile Markdow

2018-2020青年安全圈-活跃技术博主/博客

Security-Data-Analysis-and-Visualization 2018-2020青年安全圈-活跃技术博主/博客 声明 所有数据均来自且仅来自公开信息,未加入个人先验知识,如有疑义,请及时联系root@4o4notfoundorg。 公开这批数据是为了大家一起更快更好地学习,请不要滥用这批数据,由此引发的问题,本人将概不负责。 对这

SecurityScanner 概述 本软件为一款手机安全漏洞与安全风险检测软件,目前可检测CVE-2014-7911、CVE-2014-8609、CVE-2015-1474等安全漏洞,以及Android四大组件导出带来的安全风险。 特别提示:本软件目前为beta版本,后续将不断完善。

Gain privileges:system -> root,as a part of https://github.com/retme7/CVE-2014-7911_poc

CVE-2014-4322_poc poc code works on Nexus Android 44/50 Gain privileges:system -> root,as a part of githubcom/retme7/CVE-2014-7911_poc author: retme (retme7@gmailcom) @returnsme on twitter & @retme on weibo website: retmenet The exploit must be excuted as system privilege and several specific SELinux context If exploit successed,you will gain

AboutMe Bio Ju Zhu has 7+ years of experience in Advanced Threat Research Now he work for Meituan Currently, he focuses on research about 0Day, nDay and vulnerability He has been working on using automated systems to hunt advanced threats He has found the first malware that exploited nDay(CVE-2014-7911) to attack smart TV at Christmas in 2015 In 2016, he also found a lot o

#awesome-c A curated list of awesome C frameworks, libraries and software SamyPesse/How-to-Make-a-Computer-Operating-System - How to Make a Computer Operating System in C++ liuliu/ccv - C-based/Cached/Core Computer Vision Library, A Modern Computer Vision Library Microsoft/WinObjC - Objective-C for Windows grpc/grpc - The C based gRPC (C++, Nodejs, Python, Ruby, Objective-C,

A curated list of awesome C frameworks, libraries and software.

#awesome-c A curated list of awesome C frameworks, libraries and software SamyPesse/How-to-Make-a-Computer-Operating-System - How to Make a Computer Operating System in C++ liuliu/ccv - C-based/Cached/Core Computer Vision Library, A Modern Computer Vision Library Microsoft/WinObjC - Objective-C for Windows grpc/grpc - The C based gRPC (C++, Nodejs, Python, Ruby, Objective-C,

Android Security Resources.

所有收集类项目 Android Android安全资源收集,初版。600+工具,1500+文章 English Version 目录 资源收集 (11) Github Repo 知名分析工具 ClassyShark -> (3)工具 (7)文章 jeb -> (14)工具 (50)文章 enjarify -> (2)工具 (1)文章 androguard -> (5)工具 (14)文章 jadx -> (3)工具 (3)文章 jd-gui -&a

Compiled dataset of Java deserialization CVEs

Java-Deserialization-CVEs This is a dataset of CVEs related to Java Deserialization Since existing CVE databases do not allow for granular searches by vulnerability type and language, this list was compiled by manually searching the NIST NVD CVE database with different queries If you notice any discrepancies, contributions are very welcome! CVE ID Year CVSS 3/31 risk CV