CVE-2024-23704: Bypassing DISALLOW_ADD_WIFI_CONFIG Restriction in WifiDialogActivity.java

In this long-read post, we will discuss the recently discovered CVE-2024-23704 vulnerability, which is a security flaw found in the onCreate() method of WifiDialogActivity.java. This vulnerability potentially allows a malicious application to bypass the DISALLOW_ADD_WIFI_CONFIG restriction and subsequently perform a local escalation of privilege. An interesting aspect of this flaw is that no additional execution privileges are required, and no user interaction is necessary for its exploitation.

Exploit Details

In the onCreate() method of WifiDialogActivity.java, there is a missing permission check, which introduces a possible way to bypass the DISALLOW_ADD_WIFI_CONFIG restriction. The absence of this permission check could allow an attacker to perform a local escalation of privilege without any additional execution privileges. Moreover, this vulnerability can be exploited without user interaction.

Here's a code snippet that demonstrates the issue

@Override
protected void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);

    if (getIntent().getBooleanExtra(EXTRA_REQUIRE_FANCY_WIFI, false)
            && UserUtil.isCurrentUserAdmin(this)) {
        startActivityForResult(FANCY_WIFI_REQUEST_CODE);
    } else {
        // Bypass possible due to missing permission check
        startActivityForResult(LEGACY_WIFI_REQUEST_CODE);
    }
}

As seen in the code snippet, the permission check is missing before initiating the Wifi configuration with the startActivityForResult() method for the LEGACY_WIFI_REQUEST_CODE intent. This omission allows malicious applications to bypass the DISALLOW_ADD_WIFI_CONFIG security feature.

1. National Vulnerability Database (NVD): https://nvd.nist.gov/vuln/detail/CVE-2024-23704
2. Android Security Bulletin: https://source.android.com/security/bulletin/2024-06-01

Mitigation

To address this vulnerability, developers should perform proper permission checks before starting any activity related to Wifi configuration. Here's an example of how to correctly implement the permission check in the onCreate() method:

@Override
protected void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);

    // Permission check added
    if (UserUtil.isCurrentUserAdmin(this)) {
        // Proceed with Wifi configuration
        if (getIntent().getBooleanExtra(EXTRA_REQUIRE_FANCY_WIFI, false)) {
            startActivityForResult(FANCY_WIFI_REQUEST_CODE);
        } else {
            startActivityForResult(LEGACY_WIFI_REQUEST_CODE);
        }
    }
    // Deny access otherwise
    else {
        finish(); // Close the activity
        Toast.makeText(this, "Permission denied", Toast.LENGTH_SHORT).show();
    }
}

By incorporating the permission check, this code snippet now ensures that only authorized users (i.e., those with administrative privileges) can access the Wifi configuration activity.

Conclusion

CVE-2024-23704 is a severe vulnerability that could lead to local escalation of privilege. It is essential for developers to be aware of this issue and follow best practices in designing and implementing permission checks for any critical system components. To stay secure, always make sure to update your Android operating system and install the latest security patches provided by the manufacturer.

Timeline

Published on: 05/07/2024 21:15:08 UTC
Last modified on: 07/03/2024 01:47:59 UTC