Rule Category

OS-MOBILE -- Snort has detected traffic targeting vulnerabilities in a mobile-based operating system. This does not include browser traffic or other software on the OS, but attacks against the OS itself. (such as?)

Alert Message

OS-MOBILE Android Binder use after free exploit attempt

Rule Explanation

This rule searches for binary strings that indicate a file download attempt for CVE-2019-2215 exploit code.

What To Look For

This rule detects a file download attempt for CVE-2019-2215 exploit code.

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

MITRE ATT&CK Framework

Tactic: Privilege Escalation

Technique: Exploitation for Privilege Escalation

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

CVE

Rule Vulnerability

CVE Additional Information

CVE-2019-2215
A use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel. No user interaction is required to exploit this vulnerability, however exploitation does require either the installation of a malicious local application or a separate vulnerability in a network facing application.Product: AndroidAndroid ID: A-141720095
Details
SeverityMEDIUM Base Score4.6
Impact Score6.4 Exploit Score3.9
Confidentiality ImpactPARTIAL Integrity ImpactPARTIAL
Availability ImpactPARTIAL Access VectorLOCAL
AuthenticationNONE Ease of AccessLOW