The reverse, de-serialization is the process of converting this data into matter useful for the app.
So an attacker can input his own data into the system by exploiting this loophole.
For those of you more technically inclined, java.io.ObjectInputStream in the method which can be exploited.
Sure enough, his assumptions were proved right when he went back and researched the OS.
And thankfully, he decided to inform the Android team about it instead of using it.
The developers most probably missed the flaw as it is not something that you actually test for.
The good news is, the flaw cannot be used directly due to Android in-built restrictions on privileges.
So an attacker is forced to use another vulnerability before he can use this one.
But as we mentioned, this patch is only for Android 5.0 Lollipop.
On Android 4.4.3, this is where one of those pointers ends up.
Heres my crash PoC code.
Your equipment should do something like a rebootafter a few seconds.
source: www.techworm.net
