CVE-2019-15396

Vulnerability

The Asus ZenFone 3 (model ASUS_Z012D) running Android 7.0 (build NRD90M) includes a pre-installed app with package name com.asus.loguploaderproxy (versionCode=1570000015, versionName=7.0.0.3_161222). This app exposes an accessible component that allows any other pre-installed app on the device to perform command execution. The vulnerable app is part of the system firmware and does not require user interaction to be exploited by other pre-installed apps [1].

Exploitation

An attacker must have the ability to execute code within a pre-installed app that holds signatureOrSystem permissions. Such an app can invoke the exposed component of com.asus.loguploaderproxy to issue arbitrary shell commands. No additional authentication or user interaction is needed, as the component is directly accessible to other pre-installed applications with the required permission level [1].

Impact

Successful exploitation allows a malicious pre-installed app to execute arbitrary commands with the privileges of the com.asus.loguploaderproxy app, likely resulting in full device compromise. The attacker can gain elevated privileges beyond what the calling app normally has, potentially leading to data exfiltration, installation of additional payloads, or persistent control over the device [1].

Mitigation

As of the publication date (2019-11-14), no official fix or patched firmware version was available from Asus. Users are advised to minimize the installation of untrusted apps and consider using a device from a vendor with a stronger security update commitment. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [1].