CVE-2019-15407

Vulnerability

The ASUS ASUS_X015_1 device running Android 7.0 with build fingerprint asus/CN_X015/ASUS_X015_1:7.0/NRD90M/CN_X015-14.00.1709.35-20171215:user/release-keys includes a pre-installed application with package name com.asus.loguploaderproxy (versionCode=1570000015, versionName=7.0.0.3_161222). This app exposes an accessible component that allows other pre-installed apps to execute arbitrary commands. The vulnerable app exports its capabilities in a way that any pre-installed app that obtains signatureOrSystem permissions can invoke [1].

Exploitation

An attacker needs to have a pre-installed app on the device that is granted signatureOrSystem permissions. This can be any app that was signed with the platform signature or is a system app. No special user interaction is required beyond the presence of such a malicious or compromised pre-installed app. The attacker can then invoke the accessible component of com.asus.loguploaderproxy to execute arbitrary shell commands on the device [1].

Impact

Successful exploitation allows the attacker to execute arbitrary commands with the privileges of the vulnerable app, which is a system app. This can lead to full compromise of the device, including data theft, installation of additional malware, or persistent unauthorized access [1].

Mitigation

No official patch or updated version has been announced in the available references [1]. The device may be end-of-life (EOL) as it runs Android 7.0, and users are advised to limit installation of unknown apps and monitor for any vendor updates. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.