CVE-2024-31317 - Local Privilege Escalation in ZygoteProcess.java due to WRITE_SECURE_SETTINGS & Unsafe Deserialization

Summary: In this long-read post, we will detail the CVE-2024-31317 vulnerability discovered in multiple functions of ZygoteProcess.java, which could lead to local privilege escalation with user execution privileges needed. We will also provide code snippets, reference links, and explain how to exploit this vulnerability.

Introduction

CVE-2024-31317 is a security vulnerability found in multiple functions of the ZygoteProcess.java file. It shows that there is a possible way to achieve code execution as any app via WRITE_SECURE_SETTINGS permission due to unsafe deserialization. As a result, this could lead to a local escalation of privilege with User execution privileges needed. Moreover, user interaction is not needed for exploitation.

This vulnerability has been assigned a CVSS score of 7.8, which signifies that it is classified as a high severity vulnerability.

ZygoteProcess.java

The ZygoteProcess.java is a part of the Android Operating System which is responsible for creating new processes, so apps can run different tasks parallelly. It becomes vulnerable when multiple functions are combined with the WRITE_SECURE_SETTINGS permission and incorrect deserialization.

WRITE_SECURE_SETTINGS Permission

The WRITE_SECURE_SETTINGS permission allows applications to write system settings that are not meant for third-party apps to modify. This permission is meant for system apps only, but if a malicious app obtains it, it can perform actions as system-level apps.

Unsafe Deserialization

In the context of this vulnerability, unsafe deserialization refers to the process of converting a serialized data format back into an object, without properly scrutinizing the source. This can lead to the execution of malicious code if the input data contains a crafted payload.

Let's take a look at the problematic code snippet from ZygoteProcess.java

private void applyUidSecurityPolicy(…){
    //...
    if(app.processName != null){
        Parcel data = Parcel.obtain();
        data.writeString(app.processName);
        data.writeInterfaceToken("IActivityManager");
        data.writeStrongBinder(token);
        data.writeInt(app.uid);
        mRemote.transact(SET_PROCESS_LIMIT_TRANSACTION, data, reply, );
    }
}

In this code snippet, the problematic part is that app.processName is not properly sanitized before it is consumed by the mRemote.transact() method. This could potentially allow a malicious app to forge the IActivityManager transaction and execute code with elevated privileges.

Exploitation

To exploit this vulnerability, an attacker would create a malicious Android app that leverages the WRITE_SECURE_SETTINGS permission and crafts a specific payload for the unsafe deserialization in multiple functions of ZygoteProcess.java. By doing so, the malicious app would execute with elevated privileges, allowing the attacker to perform malicious actions on the victim's device without their knowledge or interaction.

Conclusion

CVE-2024-31317 is a dangerous vulnerability that can lead to a local escalation of privilege on a user's device. By understanding the exploit and its mitigations, developers can take the necessary steps to protect users, maintain a secure environment, and prevent future similar exploits. Stay secure!

Timeline

Published on: 07/09/2024 21:15:13 UTC
Last modified on: 07/11/2024 15:05:39 UTC