CVE-2019-15419

Vulnerability

The ASUS ASUS_X015_1 Android device (build fingerprint asus/CN_X015/ASUS_X015_1:7.0/NRD90M/CN_X015-14.00.1709.35-20171215:user/release-keys) includes a pre-installed application with package name com.lovelyfont.defcontainer (versionCode=5, versionName=5.0.1) that exposes a confused deputy vulnerability [1]. This allows any other application co-located on the device to abuse the privileges of the com.lovelyfont.defcontainer app, leading to unauthorized command execution [1].

Exploitation

An attacker needs to have any app installed on the same device that can send an intent or otherwise communicate with the vulnerable com.lovelyfont.defcontainer app [1]. No additional permissions are required beyond being a co-located app. The attack involves crafting a malicious message that the com.lovelyfont.defcontainer app processes as a privileged action, effectively executing commands with its higher privileges [1].

Impact

Successful exploitation allows arbitrary command execution with the privileges of the com.lovelyfont.defcontainer app [1]. This can lead to full compromise of device data, installation of additional apps, or other actions that the pre-installed app is capable of performing, potentially without the user's knowledge [1].

Mitigation

As of the publication date (2019-11-14), no official fix has been disclosed for this vulnerability in the available references [1]. Users should uninstall the pre-installed app if possible, or consider using a device that receives regular security updates [1].