----

Introduction

A local escalation of privilege vulnerability (CVE-2024-0021) has been discovered in the Android operating system. The issue arises from a logic error in the 'onCreate' method of the 'NotificationAccessConfirmationActivity.java' file. This enables an application in the work profile to activate notification listener services, potentially leading to unauthorized access to sensitive information and system resources. Fortunately, user interaction is required for a successful exploitation attempt, reducing the possibility of remote, automated attacks. This post will outline the technical details of the vulnerability and its implications, with links to official references.

The Logic Error

The vulnerability originates from a logic error in the 'NotificationAccessConfirmationActivity.java' file. In the 'onCreate' method, the code isn't correctly determining if an application attempting to access notification access services has the required permissions.

The following snippet illustrates the relevant section of affected code

protected void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    ...
    UserManager userManager = (UserManager) getSystemService(USER_SERVICE);
    LauncherApps launcherApps = (LauncherApps) getSystemService(LAUNCHER_APPS_SERVICE);
    String notificationListener = getIntent().getStringExtra(EXTRA_COMPONENT_NAME);
    ComponentName componentName = ComponentName.unflattenFromString(notificationListener);

    if (userManager.isManagedProfile() && !launcherApps.hasShortcutHostPermission()) {
         showDialog(SHORTCUT_PRECONDITION_ERROR_DIALOG_ID);
    }
    ...
}

As seen above, the code checks if the current user is a managed profile and whether the calling application has the 'ShortcutHostPermission'. However, it doesn't validate the notification listener service permission for the application, allowing apps with no additional execution privileges to exploit the vulnerability.

Exploit Details

When successfully exploited, the vulnerability could potentially grant a malicious work profile app full access to the entire device's notifications and other privileged services. This could disclose sensitive user information such as personal messages, emails, and other private data. Additionally, it could enable unauthorized manipulation of the device's notification settings by a malicious actor.

To exploit this vulnerability, physical access or user interaction is required to install the malicious app on the work profile. However, once the app is installed, the user would be unaware of the malicious activities occurring, as the vulnerability does not require any additional execution privileges.

Mitigation and Fixes

It's important to note that official patches addressing this vulnerability have been released for affected Android devices. Ensure that you update your devices to the latest security patch level to protect against this issue.

For developers, it's crucial to revise the logic in the 'onCreate' method of 'NotificationAccessConfirmationActivity.java' by implementing an appropriate permission check for notification listener services.

Official References and Additional Resources

- Android Security Bulletin - CVE-2024-0021
- AOSP - NotificationAccessConfirmationActivity.java

In summary, the CVE-2024-0021 vulnerability is a result of a logic error in the 'onCreate' method of 'NotificationAccessConfirmationActivity.java' file, which allows work profile apps to enable notification listener services without the correct permissions. Exploiting this could lead to the unintended disclosure of sensitive information and manipulation of device settings. It's important to keep devices updated with the latest security patches and ensure that your applications implement proper permission checks to mitigate the risks associated with these types of vulnerabilities.

Timeline

Published on: 02/16/2024 20:15:47 UTC
Last modified on: 08/28/2024 15:35:10 UTC