CVE CyberSecurity Database News

CVE-2023-40111 - Understanding the Android MediaSession Confused Deputy Vulnerability

Poster -

---

CVE-2023-40111 is a critical vulnerability in the Android operating system, specifically within the media framework. This bug lets local apps abuse a “confused deputy” scenario in the MediaSession service, potentially letting unprivileged apps send system-level PendingIntents as if they were the Android system itself. That can escalate privileges on a device—a serious security risk. In this article, we’ll break down what the issue is, what “confused deputy” means, walk through example code, and explore how attackers could use this bug in the real world.

What is CVE-2023-40111?

This vulnerability exists in the setMediaButtonReceiver function in the MediaSessionRecord.java file of the Android Open Source Project (AOSP). The impact? It could let a malicious application trigger a system-level PendingIntent (a kind of “future” intent action granted by the system itself) without having system permissions. No root or extra device privileges required.

1. What Is a “Confused Deputy”?

A “confused deputy” vulnerability is when a privileged component (the "deputy") does something dangerous because an unprivileged component tricks it, abusing the deputy’s higher privileges.

In this case: The Android system_server becomes “confused” and performs an action for a less-privileged app, potentially resulting in privilege escalation.

2. Vulnerable Code in MediaSessionRecord.java

The bug is in how setMediaButtonReceiver assigns a PendingIntent. The MediaSession service is system-level, so actions it performs may run as the system_server—even if they were created by an unprivileged app.

Here’s a simplified look at the code causing trouble (based on AOSP)

// MediaSessionRecord.java - vulnerable pattern
public void setMediaButtonReceiver(PendingIntent pi) {
    mMediaButtonReceiver = pi;
}
...
// Later, when a media button is pressed:
if (mMediaButtonReceiver != null) {
    mMediaButtonReceiver.send(...); // Sent with system_server privileges!
}

What’s wrong: If an app passes its own malicious PendingIntent into this function, the MediaSession service—running as system_server—will later trigger it. That lets the app “borrow” system_server’s privileges.

To exploit, an app

- Registers a custom PendingIntent (with any malicious action it wants, like opening system settings, sending a broadcast, or even starting activities restricted to system apps).

Calls the MediaSession APIs to set this PendingIntent as the receiver.

- Waits for the user to press a media button (like play/pause on Bluetooth headphones or in the notification area).

At this point, the PendingIntent will be sent as if the system_server did it, not the malicious app. That can bypass normal permission checks.

Here’s how a local Android app might abuse this

// Inside malicious app:

// Make a PendingIntent for a sensitive system action
Intent intent = new Intent(Settings.ACTION_ACCESSIBILITY_SETTINGS); // Open accessibility settings
PendingIntent pi = PendingIntent.getActivity(context, , intent, PendingIntent.FLAG_UPDATE_CURRENT);

// Now trick MediaSession into using it
MediaSession session = new MediaSession(context, "EvilSession");
session.setMediaButtonReceiver(pi);
session.setActive(true);

// Wait for user to interact (eg: hit play button)

A real exploit might do more complex things, but this shows the core problem: the app makes the system do something it shouldn’t.

4. How Android Fixed It

Google’s patch added checks to ensure the PendingIntent is only sent with the right privileges, and extra controls so session owners can’t give arbitrary PendingIntents.

See the official patch here

- AOSP commit: Don’t allow arbitrary PendingIntent in setMediaButtonReceiver

Attackers could use it to access restricted settings.

- Malware could abuse it to escalate privileges with minimal user interaction (just a media button press).

6. Official References and Further Reading

- Google CVE-2023-40111 Security Bulletin
- NVD Entry for CVE-2023-40111
- Android AOSP Patch Commit

Summary

CVE-2023-40111 is a serious example of a confused deputy attack, allowing local privilege escalation in Android’s media framework. The fix is simple—don’t let untrusted apps hand system services arbitrary PendingIntents. If you’re a developer, avoid using user-created PendingIntents in privileged contexts. As a user, always update your device to get critical security fixes like this one.

Timeline

Published on: 02/15/2024 23:15:08 UTC
Last modified on: 08/26/2024 18:35:02 UTC