CVE-2018-9447: Exploiting Missing Null Check in EmergencyCallbackModeExitDialog.java

In today's post, we are going to discuss a vulnerability identified as CVE-2018-9447. This vulnerability affects the onCreate method of EmergencyCallbackModeExitDialog.java and could lead to a local denial of service attack. It is important to note that user interaction is not needed for exploitation, and no additional execution privileges are required. In this post, we will dive deep into the details of this vulnerability and show you a code snippet example for better understanding. We will also include the original references and sources to provide you with a comprehensive understanding.

Vulnerability Details

CVE-2018-9447 is a vulnerability affecting the onCreate method of EmergencyCallbackModeExitDialog.java. The issue is caused due to a missing null check, which, if exploited, could potentially crash the phone's emergency callback mode and lead to a local denial of service. Attackers could exploit this vulnerability without any user interaction or additional execution privileges.

Code Snippet

The vulnerability occurs in the onCreate method of EmergencyCallbackModeExitDialog.java. Here is a code snippet that shows the vulnerable part:

protected void onCreate(Bundle savedInstanceState) {
  super.onCreate(savedInstanceState);
  setFinishOnTouchOutside(false);
  setCancelable(false);
  
  ...
  
  Intent intent = getIntent();
  String countdown = intent.getStringExtra(ECM_EXIT_DIALOG_COUNTDOWN_KEY);
  ...
}

As you can see from the code snippet above, the getIntent() method returns an Intent object, which is then used to extract a string data called countdown. However, there's a missing null check for the Intent object, making it possible for an attacker to trigger a crash by sending a specially crafted Intent with null data.

Exploit

To exploit this vulnerability, an attacker could send a malicious Intent to the affected application. The Intent would contain a null value for the countdown string, which would then lead to a crash when the application tries to access it. The crash would cause a local denial of service, disrupting the normal function of the emergency callback mode.

Here's an example of how an attacker can send an Intent with a null value for the countdown string

Intent maliciousIntent = new Intent();
maliciousIntent.setComponent(new ComponentName("com.android.phone", "com.android.phone.EmergencyCallbackModeExitDialog"));
maliciousIntent.putExtra("countdown", (String)null);
startActivity(maliciousIntent);

For more information about this vulnerability, you can refer to the following sources

1. CVE-2018-9447 - National Vulnerability Database (NVD)
2. Android Security Bulletin - August 2018
3. AOSP code for EmergencyCallbackModeExitDialog.java

Conclusion

In conclusion, CVE-2018-9447 is a vulnerability that allows attackers to crash the emergency callback mode in an affected device, leading to a local denial of service. The vulnerability lies in a missing null check in the onCreate method of EmergencyCallbackModeExitDialog.java.

To mitigate this issue, it is essential for developers to check all objects for null values before using them, especially in critical functionality such as emergency callback mode. Furthermore, regular security updates and patches should be applied in a timely manner to prevent the exploitation of such vulnerabilities.

Timeline

Published on: 01/17/2025 23:15:12 UTC
Last modified on: 03/19/2025 14:15:34 UTC