CVE-2019-15406

Vulnerability

A pre-installed app on the Asus ASUS_X00LD_3 Android device (build fingerprint asus/WW_Phone/ASUS_X00LD_3:7.1.1/NMF26F/14.0400.1806.203-20180720:user/release-keys) with package name com.asus.loguploaderproxy (versionCode=1570000020, versionName=7.0.0.4_170901) contains an accessible app component that allows other pre-installed apps to perform command execution [1]. The component is accessible to any pre-installed app that can obtain signatureOrSystem permissions, as required by other pre-installed apps that export their capabilities [1].

Exploitation

An attacker does not need special privileges beyond having a pre-installed app on the device that can obtain signatureOrSystem permissions. The vulnerable component is exported and accessible to such apps, allowing them to invoke it without additional user interaction [1]. The attack sequence involves a malicious pre-installed app calling the exported component of com.asus.loguploaderproxy to execute arbitrary commands.

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the device with the privileges of the com.asus.loguploaderproxy app, leading to complete compromise of device confidentiality, integrity, and availability [1]. The attacker can gain elevated privileges beyond those normally available to pre-installed apps.

Mitigation

Not yet disclosed in the available references [1]. The vulnerability was published in 2019, and users are advised to apply any available security updates from ASUS or consider replacing the device if it is no longer supported.