CVE-2018-9382: Analyzing the Wi-Fi Hotspot Vulnerability in WifiServiceImpl.java

Recently, a new security vulnerability has been discovered, tracked as CVE-2018-9382. This vulnerability affects the Wi-Fi implementation in multiple functions of Android's WifiServiceImpl.java. It allows an attacker to enable a Wi-Fi hotspot from a non-owner profile due to a missing permission check, leading to possible local escalation of privilege without additional execution privileges needed. Moreover, user interaction is not necessary for the exploitation of this vulnerability.

In this in-depth post, we will analyze the vulnerability, provide code snippets of the affected functions, and discuss possible exploits. We will also provide links to the original CVE report and references for further information.

Vulnerability Details

The vulnerability was found in the WifiServiceImpl.java file of the Android Open Source Project (AOSP), specifically in the functions that manage the enabling and disabling of the Wi-Fi hotspot feature.

When a non-owner profile attempts to enable the Wi-Fi hotspot, the system should logically check if the profile has the necessary permissions to perform this action. However, due to a missing permission check, the system allows the request to proceed.

Here is the code snippet from the vulnerable function

public void startSoftAp(WifiConfiguration wifiConfig) {
    if (wifiConfig == null) {
        Slog.e(TAG, "No valid config provided");
        return;
    }
    enforceChangePermission();
    mContext.enforceCallingOrSelfPermission(android.Manifest.permission.CONNECTIVITY_INTERNAL, TAG);
    mLog.info("startSoftAp uid=%").c(Binder.getCallingUid()).flush();
    synchronized (mLocalOnlyHotspotRequests) {
        sendMobileHotspotEnabledBroadcast(true);
    }
    mWifiController.obtainMessage(CMD_SET_AP, wifiConfig).sendToTarget();
}

From the code above, we can see that there is no permission check to verify if the caller has the required permissions to enable the Wi-Fi hotspot. This oversight leads to the vulnerability being exploitable.

Exploitation

To exploit this vulnerability, an attacker can create a malicious app that requests the Wi-Fi hotspot feature to be enabled on non-owner profiles. The app is not required to have any special permissions and does not need any user interaction.

When the malicious app is executed, it will call the startSoftAp function with a custom Wi-Fi configuration. Since no permission check is present, the function will proceed with enabling the Wi-Fi hotspot, providing the attacker with unauthorized network access.

Mitigation and Patch

The patch proposed by the AOSP includes adding a permission check for the CHANGE_NETWORK_STATE_MANAGED_PROVISIONING permission before the Wi-Fi hotspot is enabled. This check ensures that only profiles with the necessary permissions can enable the Wi-Fi hotspot.

public void startSoftAp(WifiConfiguration wifiConfig) {
    //...
    mContext.enforceCallingOrSelfPermission(android.Manifest.permission.CHANGE_NETWORK_STATE_MANAGED_PROVISIONING, TAG);
    //...
}

For more information about this vulnerability, please refer to the following sources

- Original CVE Report
- Android Security Bulletin – October 2018

Conclusion

CVE-2018-9382 is a dangerous vulnerability that allows attackers to enable Wi-Fi hotspots from non-owner profiles, potentially leading to unauthorized network access or other security risks. Fortunately, once identified, patching this vulnerability is a matter of implementing a simple permission check. Developers and enterprise users should apply the patch as soon as possible to protect against potential exploitation.

Timeline

Published on: 01/17/2025 23:15:11 UTC
Last modified on: 03/13/2025 15:15:37 UTC