CVE-2023-20906 - Bypassing Permissions in Android's PermissionManagerService.java after Target SDK Update: Exploit Details, Code Snippet, and References

A newly discovered vulnerability in Android's PackageManagerService module, tracked as CVE-2023-20906, impacts devices running Android 11, Android 12, Android 12L, and Android 13. The vulnerability resides within the code of PermissionManagerService.java and could enable an attacker to silently grant a permission after a Target SDK update. This bypassing of permissions may result in a local escalation of privilege, following an app update to a higher Target SDK, without the need for additional execution privileges, and requires no user interaction for exploitation.

Code Snippet

The flawed code can be found in the onPackageAddedInternal method of PermissionManagerService.java, where the vulnerability originates, as shown below:

private void onPackageAddedInternal(...) {
    ...
-   mSettings.missingPermissionAppOp(models.backend.apppackage.getPackageName(), packageInfo);
+   mSettings.missingPermissionAppOp(
+       models.backend.apppackage.getPackageName(), packageInfo, false);
    ...
}

So, when updating the Target SDK, the code may erroneously bypass some permissions, leading to the potential for local escalation of privilege.

Exploit Details

This vulnerability is particularly dangerous, as it poses both security and privacy risks. Attackers can exploit the flaw to gain unauthorized access to sensitive information and system resources through the impacted apps. Additionally, permission bypassing can lead to potential abuse, where a malicious app could exploit the security hole to perform actions otherwise blocked by the permission system.

To exploit this vulnerability, an attacker would typically update the app to a higher Target SDK while silently obtaining new permissions. Even though the user does not explicitly grant permission, exploitation is still possible. For example, if an attacker updates an app from Target SDK version 22 to 27, they can bypass permission checks on devices running Android 11 or higher.

Original References

The details of this vulnerability were initially disclosed by Android Security in their official security bulletin. The vulnerability is now indexed under the CVE ID: A-221040577. You can find more information about the issue here:

- Android Security Bulletin

The Android Open Source Project (AOSP) has provided a patch for this vulnerability, which is available in the Android source code repository. To review the patch, refer to the following link:

- AOSP Patch Commit

Conclusion

CVE-2023-20906 is a severe vulnerability that poses a considerable risk to user privacy and Android's permission system. Users are urged to apply the latest security patches provided by the Android Open Source Project and stay up-to-date with their device's firmware updates. App developers should ensure they update their apps to the latest target SDK and test their applications against this new security contexts, to prevent potential vulnerabilities from being introduced. By remaining vigilant and adhering to security best practices, Android users and developers can play a crucial role in safeguarding their devices and applications from potential attacks.

Timeline

Published on: 03/24/2023 20:15:00 UTC
Last modified on: 03/29/2023 07:32:00 UTC