CVE-2023-40105 is a security vulnerability affecting Google’s Android Operating System, specifically within the ActivityManagerService.java component. This bug involves the backupAgentCreated method, and allows attackers to access sensitive user data locally without any extra permissions or user interaction. The mistake lies in a missing permission check, opening a quiet backdoor for apps running on the device.
If you're an Android developer or infosec enthusiast, understanding this CVE is crucial. We'll break it down simply, inspect some code, see how exploitation works, and link official sources for further reading.
What’s the Issue?
Android uses the ActivityManagerService (AMS) to coordinate key system activities, including managing app lifecycle events and backups.
When backup agents are created—a step in the backup and restore process—the AMS method backupAgentCreated() is called. In vulnerable versions, this method does not verify whether the caller has the right permissions. As a result, any app can trigger this function and potentially access or leak private data intended to be protected.
Severity: Local Information Disclosure
User Action Required: None
Privileges Needed: None (beyond basic running app context)
Here's an abstracted and simplified snippet inspired by the real ActivityManagerService.java
// Vulnerable code (simplified)
public void backupAgentCreated(String packageName, IBinder agent) {
// Missing: Permission check, e.g. checkCallingPermission(android.Manifest.permission.BACKUP)
// ...proceeds to access or modify sensitive backup data...
}
Notice there's no permission check to make sure only authorized system services can call this method.
What should it look like?
// Safe variant
public void backupAgentCreated(String packageName, IBinder agent) {
if (checkCallingPermission(android.Manifest.permission.BACKUP) != PackageManager.PERMISSION_GRANTED) {
throw new SecurityException("Missing BACKUP permission");
}
// Now safe to continue
}
By skipping that check, the system trusts any calling app, leading to potential data exposure.
Exploiting CVE-2023-40105
A malicious app can use inter-process communication (IPC) like Binder to call backupAgentCreated directly. No special permissions are needed, so even a harmless-looking app can exploit this.
Example Exploit Pseudocode
// Java: Malicious local app example
IBinder fakeAgent = new Binder(); // placeholder for agent interface
// Try to call ActivityManagerService's backupAgentCreated function
// This would normally require high privileges, but due to missing permission check, it works.
activityManagerService.backupAgentCreated("com.victim.app", fakeAgent);
// The service could now leak info to the fakeAgent, or allow further misuse
By faking a backup connection, the attacking app might read backup data, spy on sensitive files, or otherwise abuse the system.
No user interaction: users aren’t alerted in any way.
- Private data: Potentially includes user files, settings, or app data touched by the backup agent.
What’s the Fix?
Google patched this in the September 2023 Android Security Bulletin (reference). The fix was to simply add the proper permission check.
References
- Google Android Security Bulletin – September 2023
- NVD Details for CVE-2023-40105
- AOSP Patch (commit diff)
Summary
CVE-2023-40105 is a textbook example of how a missing permission check in system-level code can lead to a silent but serious data leak. Attackers don’t need elevated rights or tricks—just basic app execution rights. The fix is simple, but the lesson is crucial for any developer: always check caller permissions before touching sensitive APIs.
Timeline
Published on: 02/15/2024 23:15:08 UTC
Last modified on: 10/31/2024 17:35:01 UTC