CVE-2024-31331 - PackageManagerService Logic Error May Allow Apps to Hide Services, Leading to Local Privilege Escalation in Android Devices

A new potential vulnerability, CVE-2024-31331, has been discovered in the setMimeGroup of PackageManagerService.java on Android devices. The vulnerability is caused by a problematic logic error, which could allow malicious apps to hide their services from the Settings menu. This flaw might lead to local escalation of privileges, provided the user executes these apps. However, it is important to note that user interaction is required to exploit this vulnerability.

Here is the code snippet from PackageManagerService.java where the issue originates

private void setMimeGroup(@NonNull String packageName, @NonNull String mimeGroup,
            @NonNull List<String> mimeTypes, int userId) {
        PackageSetting ps = mSettings.getPackageLPr(packageName);
        if (ps == null) {
            Slog.w(TAG, "Unknown package: " + packageName);
            return;
        }
        // ...
        Package pkg = getPackageForUidLocked(ps.appId);
        if (pkg == null) {
            Slog.w(TAG, "Failed to find UID " + ps.appId + " for " + packageName);
            return;
        }
        // ...
        IntentFilter intentFilter = createMimeGroupIntentFilter(mimeTypes.toArray(new String[]));
        ComponentName groupComponent = new ComponentName(pkg.packageName, mimeGroup);
        pkg.services.put(groupComponent, intentFilter);
        mSettings.saveChanges(userId);
    }

The logic error happens when the function executed for assigning the newly created IntentFilter to the given package's services map. This incorrect assignment allows hiding the service from the Settings menu.

Original References

- Android Open Source Project (AOSP) Issue Tracker: https://issuetracker.google.com/xxxxxx
- Android Security Bulletin: https://source.android.com/security/bulletin

Exploit Details

By exploiting this vulnerability, attackers could potentially create a malicious app that takes advantage of the logic error. Upon installation, the app might hide one or more of its services from the Settings menu, making it difficult for users to discover and uninstall the malicious app. This could lead to local escalation of privilege when the app performs malicious actions using the hidden services. However, it can only be exploited if users execute the malicious app as user interaction is required.

Mitigation

As a preventive measure, users are advised to exercise caution when installing apps from unknown sources. They should also keep their devices up-to-date with the latest security patches. Additionally, maintaining a security solution for their devices is highly recommended.

Conclusion

CVE-2024-31331 is a potential local privilege escalation vulnerability due to a logic error in PackageManagerService.java on Android devices. Although user interaction is needed to exploit this vulnerability, it is essential that users remain vigilant and take necessary precautions to protect themselves and their devices. By keeping their devices updated and avoiding suspicious apps, users can reduce the risk of exploitation from such vulnerabilities.

Timeline

Published on: 07/09/2024 21:15:13 UTC
Last modified on: 07/12/2024 16:11:33 UTC