OpenCVE

Directory traversal vulnerability in the SwiftKey language-pack update implementation on Samsung Galaxy S4, S4 Mini, S5, and S6 devices allows remote web servers to write to arbitrary files, and consequently execute arbitrary code in a privileged context, by leveraging control of the skslm.swiftkey.net domain name and providing a .. (dot dot) in an entry in a ZIP archive, as demonstrated by a traversal to the /data/dalvik-cache directory.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Samsung	Galaxy S4 Galaxy S4 Mini Galaxy S5 Galaxy S6
Swiftkey	Swiftkey Sdk

Configuration 1 [-]

AND

cpe:2.3:a:swiftkey:swiftkey_sdk:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:samsung:galaxy_s4::::::::
	cpe:2.3:h:samsung:galaxy_s4_mini::::::::
	cpe:2.3:h:samsung:galaxy_s5::::::::
	cpe:2.3:h:samsung:galaxy_s6::::::::

No data.

References

Link	Providers
http://arstechnica.com/security/2015/06/new-exploit-turns-samsung-galaxy-phones-into-remote-bugging-devices/
http://www.kb.cert.org/vuls/id/155412
http://www.securityfocus.com/bid/75353
https://github.com/nowsecure/samsung-ime-rce-poc/
https://www.nowsecure.com/blog/2015/06/16/remote-code-execution-as-system-user-on-samsung-phones/
https://www.nowsecure.com/keyboard-vulnerability/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2015-06-19T14:00:00

Updated: 2024-08-06T06:18:12.251Z

Reserved: 2015-06-17T00:00:00

Link: CVE-2015-4641

Vulnrichment

No data.

NVD

Status : Modified

Published: 2015-06-19T14:59:02.630

Modified: 2024-11-21T02:31:27.683

Link: CVE-2015-4641

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-06-16T00:00:00", "descriptions": [{"lang": "en", "value": "Directory traversal vulnerability in the SwiftKey language-pack update implementation on Samsung Galaxy S4, S4 Mini, S5, and S6 devices allows remote web servers to write to arbitrary files, and consequently execute arbitrary code in a privileged context, by leveraging control of the skslm.swiftkey.net domain name and providing a .. (dot dot) in an entry in a ZIP archive, as demonstrated by a traversal to the /data/dalvik-cache directory."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-12-05T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.nowsecure.com/keyboard-vulnerability/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.nowsecure.com/blog/2015/06/16/remote-code-execution-as-system-user-on-samsung-phones/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/nowsecure/samsung-ime-rce-poc/"}, {"name": "75353", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/75353"}, {"tags": ["x_refsource_MISC"], "url": "http://arstechnica.com/security/2015/06/new-exploit-turns-samsung-galaxy-phones-into-remote-bugging-devices/"}, {"name": "VU#155412", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "http://www.kb.cert.org/vuls/id/155412"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-4641", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Directory traversal vulnerability in the SwiftKey language-pack update implementation on Samsung Galaxy S4, S4 Mini, S5, and S6 devices allows remote web servers to write to arbitrary files, and consequently execute arbitrary code in a privileged context, by leveraging control of the skslm.swiftkey.net domain name and providing a .. (dot dot) in an entry in a ZIP archive, as demonstrated by a traversal to the /data/dalvik-cache directory."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.nowsecure.com/keyboard-vulnerability/", "refsource": "MISC", "url": "https://www.nowsecure.com/keyboard-vulnerability/"}, {"name": "https://www.nowsecure.com/blog/2015/06/16/remote-code-execution-as-system-user-on-samsung-phones/", "refsource": "MISC", "url": "https://www.nowsecure.com/blog/2015/06/16/remote-code-execution-as-system-user-on-samsung-phones/"}, {"name": "https://github.com/nowsecure/samsung-ime-rce-poc/", "refsource": "MISC", "url": "https://github.com/nowsecure/samsung-ime-rce-poc/"}, {"name": "75353", "refsource": "BID", "url": "http://www.securityfocus.com/bid/75353"}, {"name": "http://arstechnica.com/security/2015/06/new-exploit-turns-samsung-galaxy-phones-into-remote-bugging-devices/", "refsource": "MISC", "url": "http://arstechnica.com/security/2015/06/new-exploit-turns-samsung-galaxy-phones-into-remote-bugging-devices/"}, {"name": "VU#155412", "refsource": "CERT-VN", "url": "http://www.kb.cert.org/vuls/id/155412"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T06:18:12.251Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.nowsecure.com/keyboard-vulnerability/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.nowsecure.com/blog/2015/06/16/remote-code-execution-as-system-user-on-samsung-phones/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nowsecure/samsung-ime-rce-poc/"}, {"name": "75353", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/75353"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://arstechnica.com/security/2015/06/new-exploit-turns-samsung-galaxy-phones-into-remote-bugging-devices/"}, {"name": "VU#155412", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "http://www.kb.cert.org/vuls/id/155412"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-4641", "datePublished": "2015-06-19T14:00:00", "dateReserved": "2015-06-17T00:00:00", "dateUpdated": "2024-08-06T06:18:12.251Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:swiftkey:swiftkey_sdk:*:*:*:*:*:*:*:*", "matchCriteriaId": "88F176E3-EC85-4B8C-B5DF-8EF79949F24E", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:samsung:galaxy_s4:*:*:*:*:*:*:*:*", "matchCriteriaId": "FB2AC272-BB5F-4817-959D-2A4ECF1626E2", "vulnerable": false}, {"criteria": "cpe:2.3:h:samsung:galaxy_s4_mini:*:*:*:*:*:*:*:*", "matchCriteriaId": "B11D6B24-F216-47CF-9614-F27940CBD091", "vulnerable": false}, {"criteria": "cpe:2.3:h:samsung:galaxy_s5:*:*:*:*:*:*:*:*", "matchCriteriaId": "41DE2B05-3057-4F9F-A33D-6A01B4E19E65", "vulnerable": false}, {"criteria": "cpe:2.3:h:samsung:galaxy_s6:*:*:*:*:*:*:*:*", "matchCriteriaId": "55A63E34-ACAD-4577-9965-02E294955906", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Directory traversal vulnerability in the SwiftKey language-pack update implementation on Samsung Galaxy S4, S4 Mini, S5, and S6 devices allows remote web servers to write to arbitrary files, and consequently execute arbitrary code in a privileged context, by leveraging control of the skslm.swiftkey.net domain name and providing a .. (dot dot) in an entry in a ZIP archive, as demonstrated by a traversal to the /data/dalvik-cache directory."}, {"lang": "es", "value": "Vulnerabilidad de salto de directorio en la implementaci\u00f3n de la actualizaci\u00f3n del paquete de lenguas SwiftKey en los dispositivos Samsung Galaxy S4, S4 Mini, S5, y S6 permite servidores web remotos escribir en ficheros arbitrarios, y como consecuencia ejecutar c\u00f3digo arbitrario en un contexto privilegiado, mediante el aprovechamiento del control del nombre de dominio skslm.swiftkey.net y la provisi\u00f3n de un .. (punto punto) en una entrada en un archivo ZIP, tal y como fue demostrado por un salto en el directorio /data/dalvik-cache."}], "id": "CVE-2015-4641", "lastModified": "2024-11-21T02:31:27.683", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-06-19T14:59:02.630", "references": [{"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://arstechnica.com/security/2015/06/new-exploit-turns-samsung-galaxy-phones-into-remote-bugging-devices/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/155412"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/75353"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "https://github.com/nowsecure/samsung-ime-rce-poc/"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "https://www.nowsecure.com/blog/2015/06/16/remote-code-execution-as-system-user-on-samsung-phones/"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "https://www.nowsecure.com/keyboard-vulnerability/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://arstechnica.com/security/2015/06/new-exploit-turns-samsung-galaxy-phones-into-remote-bugging-devices/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/155412"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/75353"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "https://github.com/nowsecure/samsung-ime-rce-poc/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "https://www.nowsecure.com/blog/2015/06/16/remote-code-execution-as-system-user-on-samsung-phones/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "https://www.nowsecure.com/keyboard-vulnerability/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}