CVE-2023-21096 - Use After Free Vulnerability in OnWakelockReleased of attribution_processor.cc for Android 12, 12L, and 13

-----

Introduction

A recent discovery of a low-level vulnerability, tagged as CVE-2023-21096, affects the OnWakelockReleased function in attribution_processor.cc file of Android operating systems. The vulnerability has potential consequences of causing a use after free condition, allowing remote code execution by an attacker without the need for any additional execution privileges or user interaction.

Vulnerability Details

The vulnerability is caused due to a programming bug in the OnWakelockReleased function of the attribution_processor.cc file. The use after free condition occurs due to an incorrect handling of memory pointers, which allows for potential malicious code execution.

The code snippet illustrating the vulnerability

void AttributionProcessor::OnWakelockReleased(
      uint32_t sequence_number, const WakeLockReleasedMessage& msg) {
  auto entry = sequence_number_to_pending_request_.find(sequence_number);
  if (entry == sequence_number_to_pending_request_.end()) {
    // If the entry is not found, ignore the message.
    return;
  }
  //... more code here ...
  //... perform operations on entry ...
  //...
  sequence_number_to_pending_request_.erase(entry);
}

In the above code, the 'entry' object is a pointer to a memory location that is being used for storing some application data. The issue arises due to the fact that once the 'erase' operation is called on the 'sequence_number_to_pending_request_' container, the 'entry' pointer remains in the code and can be used after its memory has been freed.

Exploit Details

The exploitation of this vulnerability requires no user interaction, making it more dangerous due to the ease of exploitation. An attacker can potentially use malicious code execution to gain unauthorized control over the affected devices or potentially leak sensitive information.

To exploit the vulnerability, an attacker would first need to craft a specially designed data packet and then initiate the vulnerable function of the affected Android version.

Mitigation Steps

The vulnerability can be mitigated by properly freeing up the memory utilized by the vulnerable code and ensuring that there is no usage of the 'entry' object pointer after its associated memory is freed.

The safer code snippet should be as follows

void AttributionProcessor::OnWakelockReleased(
      uint32_t sequence_number, const WakeLockReleasedMessage& msg) {
  auto entry = sequence_number_to_pending_request_.find(sequence_number);
  if (entry == sequence_number_to_pending_request_.end()) {
    // If the entry is not found, ignore the message.
    return;
  }
  //... more code here ...
  //... perform operations on entry ...
  //...
  sequence_number_to_pending_request_.erase(entry);
  entry = sequence_number_to_pending_request_.end(); // Set the entry to an invalid iterator after erasing
}

Original References to the Vulnerability

1. The Android Security Bulletin - https://source.android.com/security/bulletin/
2. The Android Open Source Project Repository - https://cs.android.com

Conclusion

Security researchers and developers should be aware of the CVE-2023-21096 vulnerability and take necessary actions to patch their systems, ensuring that users are protected from possible remote code execution attacks. By following the mitigation steps provided and constantly updating the Android software versions, users can safeguard their devices against future threats.

Timeline

Published on: 04/19/2023 20:15:00 UTC
Last modified on: 04/25/2023 22:12:00 UTC