Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2009-1754

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2009-1754
Last Modified 29 Feb 2012 12:00:00
Published 26 May 2009 11:30:05
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2009-1754

Summary

The PackageManagerService class in services/java/com/android/server/PackageManagerService.java in Android 1.5 through 1.5 CRB42 does not properly check developer certificates during processing of sharedUserId requests at an application's installation time, which allows remote user-assisted attackers to access application data by creating a package that specifies a shared user ID with an arbitrary application.

Vulnerable Systems

Operating System

  • Google Android 1.5

Application

  • Android 1.5

  • Android 1.5 Crb42


References

MISC - http://www.ocert.org/advisories/ocert-2009-006.html

CONFIRM - http://android.git.kernel.org/?p=platform/frameworks/base.git;a=commit;h=5d6d773fab559fdc12e553d60d789f3991ac552c

BID - 35090

BUGTRAQ - 20090522 [oCERT-2009-006] Android improper package verification when using shared uids

MLIST - [oss-security] 20090522 [oCERT-2009-006] Android improper package verification when using shared uids


Last Updated: 27 May 2016 10:58:19