A new vulnerability dubbed CVE-2024-49744 has been identified within the AccountManagerService.java file's method checkKeyIntentParceledCorrectly. This vulnerability makes it possible to bypass parcel mismatch mitigation due to unsafe deserialization. Interestingly, no additional execution privileges are needed to carry out this local escalation of privilege, but user interaction is necessary to successfully exploit the vulnerability.
In this article, we will discuss the details of the vulnerability, how it can be exploited, and provide code snippets to better understand the issue. We will also provide links to the original references that have helped identify and report the security flaw.
The Vulnerability
The vulnerability lies in the checkKeyIntentParceledCorrectly method, located within AccountManagerService.java. The method fails to implement proper deserialization security measures, enabling an attacker to bypass the parcel mismatch mitigation.
Upon a closer examination, we can see that the affected code snippet is as follows
public class AccountManagerService {
...
private boolean checkKeyIntentParceledCorrectly(Intent intent, byte[] callerPkgSigDigest[, byte[] keySetPkgSigDigest]) {
...
if (checkCallerKeySetSignature(intent, callerPkgSigDigest, keySetPkgSigDigest)) {
return true;
} else {
return false;
}
}
...
}
Exploit Details
An attacker can exploit this vulnerability by tricking the user into performing specific actions, which allows the attacker to escalate their privileges locally. Due to the insecure deserialization process, an attacker can gain unauthorized access to sensitive data, manipulate application logic or, in some cases, even execute arbitrary code.
In order to exploit the vulnerability successfully, the attacker would need to craft a serialized object containing malicious data. This object would then be passed to the checkKeyIntentParceledCorrectly method, where the unsafe deserialization takes place, leading to a bypass of the parcel mismatch mitigation.
Below is a proof of concept code snippet demonstrating a potential exploit scenario
import android.content.Intent;
import android.os.Bundle;
public class Exploit {
public static void main(String[] args) {
// Prepare a malicious serialized object
byte[] maliciousData = createMaliciousData();
// Create a payload to be sent to the checkKeyIntentParceledCorrectly method
Intent exploitIntent = new Intent("com.example.MALICIOUS_INTENT");
Bundle maliciousBundle = new Bundle();
maliciousBundle.putByteArray("key", maliciousData);
exploitIntent.putExtra("maliciousPayload", maliciousBundle);
// Execute the exploit
AccountManagerService ams = new AccountManagerService();
boolean result = ams.checkKeyIntentParceledCorrectly(exploitIntent, null[, null]);
if (result) {
System.out.println("Exploit successful.");
} else {
System.out.println("Exploit failed.");
}
}
public static byte[] createMaliciousData() {
// Generate malicious data
return ...;
}
}
Mitigation
As a temporary workaround to mitigate the potential risk associated with this vulnerability, developers can implement secure deserialization practices in the affected code. Developers can start by making sure only expected object types are being deserialized and proper input validation checks are performed. Likewise, developers can utilize secure libraries, such as Apache Commons Lang, for deserialization of objects.
Original References
1. NVD - National Vulnerability Database
Conclusion
In summary, CVE-2024-49744 has unveiled an escalation of privilege vulnerability within AccountManagerService.java, allowing for the bypassing of parcel mismatch mitigation due to unsafe deserialization. To exploit this vulnerability, an attacker would require user interaction, providing an opening for local privilege escalation. As users and developers, it is essential to stay updated on newly discovered vulnerabilities and implement proposed mitigations to better equip ourselves against potential exploitation.
Timeline
Published on: 01/21/2025 23:15:14 UTC
Last modified on: 03/18/2025 19:15:45 UTC