CVE-2019-15411

Vulnerability

The Asus ZenFone 3 Laser (ASUS_Z01GD) device, with build fingerprint asus/WW_msm8937/msm8937:7.1.1/NMF26F/WW_32.40.106.114_20180928:user/release-keys, includes a pre-installed app with package name com.asus.loguploaderproxy (versionCode=1570000020, versionName=7.0.0.4_170901). This app exposes an accessible component that allows command execution, which can be triggered by any other pre-installed app on the device that has obtained signatureOrSystem permissions [1].

Exploitation

An attacker with control over a pre-installed app (one that already holds signatureOrSystem permissions) can leverage the accessible component of com.asus.loguploaderproxy to execute arbitrary commands. The component is exported, so no additional user interaction beyond the presence of a suitably privileged pre-installed app is required [1].

Impact

Successful exploitation allows a pre-installed app (with signatureOrSystem permissions) to execute commands with elevated privileges, potentially leading to full device compromise, including unauthorized access to sensitive data or modification of system settings [1].

Mitigation

No official fix has been disclosed as of the publication date (2019-11-14). Users are advised to monitor vendor updates for a security patch. Due to the nature of the vulnerability (pre-installed app component), removing or disabling the app may require root access [1].