Open Mobile API implementations affected by code injection vulnerability [CVE-2015-6606]

We recently found a severe weakness in implementations of the Open Mobile API deployed on several Android devices. The vulnerability allows arbitrary code coming from a specially crafted Android application package (APK) to be injected into and executed by the smartcard system service component (the middleware component of the Open Mobile API implementation). This can be exploited to gain elevated capabilities, such as privileges protected by signature- and system-level permissions assigned to this service. The affected source code seems to originate from the SEEK-for-Android open-source project and was adopted by various vendor-specific implementations of the Open Mobile API, including the one that is used on the Nexus 6 (as of Android version 5.1). Several Android devices as well as the open source implementation SEEK-for-Android (only versions before 4.0.0) are affected.

We initially reported this issue to affected parties starting end of June 2015 and it was initially announced in the October 2015 Nexus Security Bulletin. The Common Vulnerability and Exposures ID (CVE) identifier CVE-2015-6606 has been assigend to this issue.

Today, we published our report Executing Arbitrary Code in the Context of the Smartcard System Service (arXiv:1601.05833 [cs.CR]) describing this vulnerability in full detail. Further, we published example exploit code to reproduce the issue on GitHub. Patches that fix the issue by disabling add-on terminal loading are available from our website: for SEEK 3.1.0 and for SEEK 3.0.0. Where possible, we strongly advise to upgrade to SEEK version 4.0.0 which contains a completely redesigned add-on terminal loading concept and is consequently no longer affected by this vulnerability.

Further reading:

Useful links: