CVE-2019-15410

Vulnerability

A pre-installed app with package name com.asus.loguploaderproxy (versionCode=1570000020, versionName=7.0.0.4_170901) on Asus ZenFone 5Q devices (build fingerprint asus/WW_Phone/ASUS_X017D_2:7.1.1/NGI77B/14.0400.1809.059-20181016:user/release-keys) exposes an accessible component that allows other pre-installed apps to perform command execution. This component is reachable by any pre-installed app on the device that can obtain signatureOrSystem permissions, which are required by other pre-installed apps that export their capabilities [1].

Exploitation

An attacker needs to have a pre-installed app on the device that can acquire signatureOrSystem permissions. Such an app can then invoke the exposed component of com.asus.loguploaderproxy to execute arbitrary commands. No user interaction is required beyond the device running the affected software [1].

Impact

Successful exploitation allows the attacker to execute arbitrary commands with system privileges, leading to full compromise of the device's confidentiality, integrity, and availability [1].

Mitigation

No patch has been publicly released by Asus as of the publication date. The only mitigation is to remove or disable the pre-installed app if possible, though this may require root access. Users should keep the device updated for any future firmware fixes [1].