CVE-2024-49737 refers to a security vulnerability discovered in the WindowOrganizerController.java, a critical component of the Android operating system. It is a local privilege escalation vulnerability, a type of security issue that allows an attacker to elevate their permissions on a victim's device.
This post will explain the details behind CVE-2024-49737, including its impact, the root cause, and how it can be exploited. Further, the post elaborates on the code snippet that causes the vulnerability and includes relevant links for additional information.
The Vulnerability
In WindowOrganizerController.java, a part of the Android operating system, there exists a function called applyTaskFragmentOperation(). This function contains a logic error that permits an attacker to launch arbitrary activities as the system UID. Consequently, the attacker could leverage this vulnerability to escalate their privileges on the victim's device without requiring any additional privileges or user interaction, thereby gaining full control over the affected device.
The Root Cause
The vulnerability in the applyTaskFragmentOperation() function is due to incorrect handling of the ActivityManager.START_TASK_IN_EXISTING_ACTIVITY flag in the code. This flag is used when starting a new task or activity and should be restricted to only system/server processes. However, the vulnerable code snippet does not correctly validate the caller's UID, which allows non-system processes to utilize this flag and subsequently, execute arbitrary code with system-level permissions.
The following code snippet from WindowOrganizerController.java demonstrates the vulnerability
`
void applyTaskFragmentOperation(
Task task, FragmentOperation operation, Rect bounds) {
switch (operation.mType) {
Timeline
Published on: 01/21/2025 23:15:14 UTC
Last modified on: 03/18/2025 15:15:55 UTC