A recent vulnerability discovered in the AssociationRequest.java file allows malicious actors to potentially establish a companion device association without requiring user confirmation, leading to a local privilege escalation. This vulnerability has been reported under CVE-2024-31320 and doesn't require any additional execution privileges or user interaction for successful exploitation.

Background

AssociationRequest.java is a part of the Android Operating System. A companion device is an auxiliary device that complements and enhances the interaction with another primary device. The AssociationRequest.setSkipPrompt method is designed to allow companion device apps to skip the user confirmation prompt when establishing a companion device association, but only after the user has granted permission once.

Vulnerability Details

The vulnerability stems from incorrect implementation in the setSkipPrompt method of AssociationRequest.java file. This implementation flaw makes it possible for malicious actors to trigger a companion device association without any user notification or confirmation, ultimately leading to a local escalation of privilege.

The following code snippet illustrates the vulnerable portion of AssociationRequest.java

public final class AssociationRequest implements VersionedParcelable {
    ...
    public boolean getSkipPrompt() {
        return mSkipPrompt;
    }
    // Set the skipPrompt flag for this association request
    public Builder setSkipPrompt(boolean skipPrompt) {
        mSkipPrompt = skipPrompt;
        return this;
    }
    ...
}

Exploit Details

An attacker could craft a malicious companion device application that exploits this vulnerability to establish a companion device association without user interaction. This could allow the attacker to access sensitive information or perform unauthorized operations.

To exploit this vulnerability, an attacker would create a specially crafted application that sets the 'skipPrompt' flag to 'true' in an AssociationRequest object and initiates a new association without requiring user permission. The attacker can then use this new association to carry out their malicious activities.

Here is an example exploit code snippet exploiting this vulnerability

public class MaliciousCompanionDeviceApp extends Activity {
    ...
    private void exploitAssociationRequest() {
        AssociationRequest associationRequest = new AssociationRequest.Builder()
            .setPhysicalDeviceType(AssociationRequest.PHYSICAL_DEVICE_TYPE_PHONE)
            .setWatchlistAddSkipPrompt(true) // Exploiting the vulnerability
            .setShouldLaunchRequest(true)
            .build();

        initiateAssociation(associationRequest);
    }
    ...
}

Affected Versions and Mitigation

The vulnerability affects all Android devices running on versions prior to the latest Security Patch Level update. It is highly recommended to apply the latest security updates provided by your device manufacturer or carrier as soon as possible to mitigate the risk associated with this vulnerability.

The following links provide the original references and source code for further details on this vulnerability:

- Android - AssociationRequest.java (source code)
- CVE-2024-31320 - Mitre
- CVE-2024-31320 - NIST National Vulnerability Database

Conclusion

In conclusion, CVE-2024-31320 presents a significant risk for Android users, as it allows attackers to establish a companion device association without any user interaction. This could lead to local privilege escalation, unauthorized access to sensitive information, and other malicious activities. Users are strongly advised to keep their devices up-to-date with the latest security updates to protect themselves from this and other security vulnerabilities.

Timeline

Published on: 07/09/2024 21:15:13 UTC
Last modified on: 07/12/2024 16:11:32 UTC