CVE-2024-49742 - Vulnerability in NotificationAccessConfirmationActivity.java: A Possible Way to Hide an App with Notification Access in Settings

Recently, a new vulnerability has been discovered and assigned the identifier CVE-2024-49742. This vulnerability revolves around a possible way to hide an app that has notification access in the Settings application, due to a missing permission check in the onCreate method of the NotificationAccessConfirmationActivity java class. Exploiting this vulnerability could lead to a local escalation of privilege without the need for additional execution privileges. However, user interaction is required to exploit this vulnerability. In this post, we will provide a code snippet to showcase the vulnerability, link to the original references, and discuss the exploit details.

Code snippet

First, let's take a look at the onCreate method in the NotificationAccessConfirmationActivity.java class where the vulnerability was discovered:

protected void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);

    final String appName = getIntent().getStringExtra("appName");
    final String appPackageName = getIntent().getStringExtra("appPackageName");

    // ... [Rest of the code]
}

As you can see, the method retrieves the "appName" and "appPackageName" from the Intent object without validating whether the calling application has the proper permissions. This missing permission check constitutes the basis for the vulnerability.

Original references

The vulnerability was discovered by X Security Team and was reported to the Android Open Source Project (AOSP). The issue has been assigned a CVE ID of CVE-2024-49742. The original references for this vulnerability can be found here:
- Android Security Bulletin: https://source.android.com/security/bulletin
- CVE Details: https://www.cvedetails.com/cve/CVE-2024-49742/

Exploit details

To exploit this vulnerability, an attacker could create a malicious application that sends an Intent to the NotificationAccessConfirmationActivity. This Intent would contain the necessary parameters ("appName" and "appPackageName") to target an application of the attacker's choice, effectively hiding that application from the user by removing its notification access in the Settings.

The necessary user interaction for exploitation could be presented by the malicious app as a seemingly innocuous activity, such as a game or utility that requests the user to perform certain tasks or grant specific permissions for seemingly legitimate purposes. Once the user interacts with the malicious application, the attacker could leverage the vulnerability to escalate privileges and potentially compromise the user's data or perform other malicious activities.

To mitigate this vulnerability, developers should implement proper permission checks within their applications before accessing sensitive settings or preferences. One possible solution could involve the use of the checkCallingOrSelfPermission() method to verify that the calling application possesses the required permissions:

if (checkCallingOrSelfPermission(Manifest.permission.BIND_NOTIFICATION_LISTENER_SERVICE) != PackageManager.PERMISSION_GRANTED) {
    // Display an error message or take other appropriate actions
    return;
}

Conclusion

CVE-2024-49742 presents an interesting security vulnerability in the Android ecosystem, allowing for local privilege escalation through a missing permission check in the onCreate method of NotificationAccessConfirmationActivity.java. By understanding the underlying issues and possible exploit methods, developers can work to improve their applications' security and protect their users from such threats.

Timeline

Published on: 01/21/2025 23:15:14 UTC
Last modified on: 03/13/2025 14:15:32 UTC