Skip to content
master
Switch branches/tags
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
app
 
 
 
 
 
 
 
 
 
 
 
 
 
 

README.md

Simple Exploit for Verification of CVE-2015-6606

This is a simple exploit to verify a code injection vulnerability that exists in the SEEK smartcard service versions 3.1.0 and below (CVE-2015-6606, Google internal bug# ANDROID-22301786). The vulnerability allows specially crafted Android application packages to inject arbitrary code into the execution context of the smartcard system service. This code inherits all permissions granted to this system service, which include signature-or-system permissions that are not normally granted to third party apps.

Further details can be found in our report Executing Arbitrary Code in the Context of the Smartcard System Service (see literature section below).

DISCLAIMER

You are using this application at your own risk. We are not responsible for any damage caused by this application, incorrect usage or inaccuracies in this manual.

LITERATURE

  • CVE-2015-6606
  • Google: Nexus Security Bulletin - October 2015
  • M. Roland: "Executing Arbitrary Code in the Context of the Smartcard System Service," arXiv:1601.05833 [cs.CR], Computing Research Repository (CoRR), arXiv.org/corr, University of Applied Sciences Upper Austria, JR-Center u'smile, January 2016.
  • M. Roland and M. Hölzl: "Open Mobile API: Accessing the UICC on Android Devices," arXiv:1601.03027 [cs.CR], Computing Research Repository (CoRR), arXiv.org/corr, University of Applied Sciences Upper Austria, JR-Center u'smile, January 2016.

License: GNU General Public License v3.0

About

Simple Exploit for Verification of CVE-2015-6606

Resources

License

Releases

No releases published

Packages

No packages published

Languages