Protégez votre univers

Nos autres ressources

  • free.drweb.fr — utilitaires gratuits, plugins, widgets
  • av-desk.com — service Internet pour les prestataires de services Dr.Web AV-Desk
  • curenet.drweb.com — l'utilitaire de désinfection réseau Dr.Web CureNet!
Fermer

Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

EvilParcel

EvilParcel is a group of similar vulnerabilities found in some Android system classes. Those classes contain an error that enables information to be modified during the data exchange between applications and the operating system. If an attacker creates a specific array of transmitted data, the data values will be different after reading from the original.

Malicious programs that exploit these vulnerabilities can bypass operating system checks, obtain higher privileges, and perform previously unavailable actions. For example, they can revert the devices to factory settings and install or uninstall applications without users’ permission. Additionally, if Trojans exploit EvilParcel vulnerabilities together with other vulnerabilities, they can replace previously installed programs with their infected versions.

The following known vulnerabilities of this type are:

  • CVE-2017-0806 (error in the GateKeeperResponse class), published in October 2017;
  • CVE-2017-13286 (error in the OutputConfiguration class, published in April 2018;
  • CVE-2017-13287 (error in the VerifyCredentialResponse class), published in April 2018;
  • CVE-2017-13288 (error in the PeriodicAdvertizingReport class), published in April 2018;
  • CVE-2017-13289 (error in the ParcelableRttResults class), published in April 2018;
  • CVE-2017-13311 (error in the SparseMappingTable class), published in May 2018; and
  • CVE-2017-13315 (error in the DcParamObject class), published in May 2018.

These vulnerabilities are a threat for devices running Android 5.0–8.1 without updates from May 2018 and later.

If Dr.Web for Android detects one or more EvilParcel vulnerabilities, we recommend that you contact the hardware manufacturer to obtain the operating system updates you need.

Technical details

Android applications interact with the system by sending and receiving Intent objects. An Intent can contain an arbitrary number of key value pairs inside a Bundle object. When transferring an Intent, the Bundle object is converted (serialized) into a byte array; and when reading keys and values from a serialized Bundle, it is automatically deserialized. The key in Bundles is a string with almost any value, including a Parcelable object. Thus, you can place an arbitrary object that implements the Parcelable interface in a Bundle. To serialize and deserialize the object, the writeToParcel() and createFromParcel() methods have to be implemented.

EvilParcel vulnerabilities are caused by errors in the createFromParcel() and writeToParcel() methods in some system classes that implement Parcelable. In these classes, the number of bytes read in the createFromParcel() method will differ from the number of bytes written in the writeToParcel() method. If you place an object of this class inside a Bundle, the boundaries of the object inside the Bundle will change after re-serialization.

This is what the malware takes advantage of. To launch activities with higher privileges, it creates a specific Bundle containing a vulnerable class. Changing the boundaries of the vulnerable class allows you to place an Intent object in the Bundle in such a way that it only appears in the Bundle after the second deserialization. This allows the Intent to be hidden from the OS security mechanisms. After being called, the Intent will launch activity with elevated privileges, and the Trojans will be able to perform malicious actions without the user's permission.

See also information about other vulnerabilities

Editeur russe des solutions antivirus Dr.Web

Expérience dans le développement depuis 1992

Les internautes dans plus de 200 pays utilisent Dr.Web

L'antivirus est fourni en tant que service depuis 2007

Support 24/24

© Doctor Web
2003 — 2019

Doctor Web - éditeur russe des solutions antivirus Dr.Web. Doctor Web développe les produits Dr.Web depuis 1992.

333b, Avenue de Colmar, 67100 Strasbourg