Vulnerability in Android <5.0 (ObjectInputStream)

As reported by Jann Horn in the Full Disclosure mailing list, in Android 5.0, a patch was included that fixes a vulnerability in the java.io.ObjectInputStream object. Prior to this patch, java.io.ObjectInputStream did not check whether an object was serializable, before its de-serialization.

It is enough for an attacker to create an instance of any class with a constructor without parameters and fill its fields with random values. When a garbage collector is triggered, this instance will call the finalize method. Finally, if you transfer this instance to the system_service service via Intents with Bundles, the pointer is overwritten to the address controlled by the attacker, and if he manages to write the required payload to this address, the attacker's code will be executed with the system_service privileges.

Although there is an ASLR in Android, due to the fact that all processes are started by a fork from zygote, they all have approximately the same memory map, so it can be bypassed.
')
The author also wrote a PoC and posted it in the mailing list.
The vulnerability was reported on 06.23.2014 and assigned the number CVE-2014-7911.