CVE-2019-15409

Vulnerability

The Asus ZenFone 5Q (model ASUS_X017D_2) running Android 7.1.1 with build fingerprint asus/WW_Phone/ASUS_X017D_2:7.1.1/NGI77B/14.0400.1809.059-20181016:user/release-keys has a pre-installed app with package name com.asus.loguploaderproxy (versionCode=1570000020, versionName=7.0.0.4_170901). This app exposes an accessible component that allows other pre-installed apps on the device to execute arbitrary commands. The vulnerable app requires and holds signatureOrSystem permissions, which other pre-installed apps can also obtain.

Exploitation

An attacker needs to have a pre-installed app on the device that can acquire signatureOrSystem permissions. Such an app can then use the exposed component of com.asus.loguploaderproxy to execute arbitrary shell commands. This is possible because the component is accessible to any app with the required permission level, and many pre-installed apps can attain that permission level on the device.

Impact

Successful exploitation allows any pre-installed app that can obtain signatureOrSystem permissions to execute arbitrary commands on the device. This leads to full device compromise, including potential data theft, installation of additional malware, or complete control over the device's functions. The impact is severe as it bypasses normal user restrictions and can be triggered without user interaction.

Mitigation

As of the publication date (2019-11-14), there is no mention of a patch or fix for this vulnerability in the available references [1]. Users are advised to be cautious about installing apps and to check for firmware updates from Asus. The device may be end-of-life, and no official mitigation is provided.