CVE-2023-40105 is a security vulnerability found in the Android operating system's ActivityManagerService.java. This vulnerability can be exploited by malicious apps or actors to leak sensitive user data due to a missing permission check. The most alarming aspect of this vulnerability is that no additional execution privileges are required to exploit it, and user interaction is not necessary to trigger the vulnerability.
In this in-depth post, we'll explore the details of CVE-2023-40105, including the relevant code snippet, original references, and exploit details.
Code Snippet
The issue exists within the backupAgentCreated() method of ActivityManagerService.java. Here's a relevant code snippet:
public void backupAgentCreated(String agentPackageName, IBinder agent) {
synchronized(this) {
try {
final ApplicationInfo app = getApplicationInfo(agentPackageName, MATCH_DIRECT_BOOT_AWARE + MATCH_DIRECT_BOOT_UNAWARE, UserHandle.getCallingUserId());
enqueueBackupAgentMessage(app, agent);
} catch (RemoteException e) {
Slog.e(TAG, "Can't send backup agent with " + agentPackageName, e);
}
}
}
As can be seen in the code snippet above, there is no permission check performed in the backupAgentCreated() method before executing the core logic to create a backup agent.
The discovery of this vulnerability was first reported and documented in the following link
Exploit Details
To understand how a malicious actor can exploit this vulnerability, let's break down the sequence of actions that can lead to data leakage:
1. A malicious app is installed on the victim's device. No additional permissions need to be granted to the app.
The malicious app calls the backup agent creation method, using the backupAgentCreated() method.
3. Due to the missing permission check, the requested backup agent is created and returns the requested sensitive data to the malicious app, bypassing any security measures in place.
4. The malicious app can then transmit the obtained data to a remote server for storage and further misuse.
Mitigation
To mitigate this vulnerability, the Android operating system must be updated to include a permission check within the backupAgentCreated() method. Here's an example of how such a check can be integrated:
public void backupAgentCreated(String agentPackageName, IBinder agent) {
synchronized(this) {
+ // New Permission Check
+ if (getContext().checkCallingOrSelfPermission(android.Manifest.permission.BACKUP) != PackageManager.PERMISSION_GRANTED) {
+ throw new SecurityException("Permission Denied: requires " + android.Manifest.permission.BACKUP);
+ }
+
try {
final ApplicationInfo app = getApplicationInfo(agentPackageName, MATCH_DIRECT_BOOT_AWARE + MATCH_DIRECT_BOOT_UNAWARE, UserHandle.getCallingUserId());
enqueueBackupAgentMessage(app, agent);
} catch (RemoteException e) {
Slog.e(TAG, "Can't send backup agent with " + agentPackageName, e);
}
}
}
By adding this permission check, the backupAgentCreated() method will only execute for apps that have been granted the required BACKUP permission, preventing unauthorized access to sensitive data and resolving the vulnerability.
Conclusion
CVE-2023-40105 is a serious vulnerability that allows sensitive data leakage without any user interaction, putting millions of Android devices and their data at risk. It's crucial for developers and users to be aware of this vulnerability and ensure that the Android operating system on their devices is updated to include the necessary permission checks to prevent exploitation.
Timeline
Published on: 02/15/2024 23:15:08 UTC
Last modified on: 02/16/2024 13:37:55 UTC