Ryan Welton

The SwiftKey language-pack update implementation on Samsung Galaxy S4, S4 Mini, S5, and S6 devices relies on an HTTP connection to the skslm.swiftkey.net server, which allows man-in-the-middle attackers to write to language-pack files by modifying an HTTP response. NOTE: CVE-2015-4640 exploitation can be combined with CVE-2015-4641 exploitation for man-in-the-middle code execution.

**Name of the Vulnerable Software and Affected Versions** Samsung Galaxy S series (affected versions not specified) **Description** The issue allows remote web servers to write to arbitrary files and execute arbitrary code in a privileged context by leveraging control of the skslm.swiftkey.net domain name and providing a .. (dot dot) in an entry in a ZIP archive. This can be demonstrated by a traversal to the /data/dalvik-cache directory. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.