|CVSS SCORE||7.9, (AV:A/AC:M/Au:N/C:C/I:C/A:C)|
The specific flaw exists within the com.absolute.android.persistence.MethodSpec Class. The createFromParcel() method performs dynamic class loading but does not restrict the source of the classes to be loaded. An attacker can craft a Parcelable object specifying arbitrary class files that will be loaded when the MethodSpec object is deserialized, resulting in remote code execution as the system user.
11/11/2015 - ZDI disclosed this report from Mobile Pwn2Own to the vendor
-- Vendor Response:
Fixes for both issues ZDI-CAN-2613 and ZDI-CAN-2614 require FOTA updates from carriers, such that there is no link to a patch for these fixes. While we believe only a small number of devices haven't received the software (FOTA) update from their respective carriers, there are number of devices still at risk from those vulnerabilities.