CVE-2024-0036: Critical Security Vulnerability in startNextMatchingActivity of ActivityTaskManagerService.java

Overview

Attention all Android users and developers - a critical security vulnerability has just been discovered, dubbed as CVE-2024-0036. This vulnerability allows threat actors to exploit a system flaw, thereby enabling them to bypass activity starting restrictions from the background. This bypass boasts the potential to result in local escalation of privilege with no additional execution privileges needed, and worst of all - user interaction is not required for exploitation.

In this post, we will delve into the details of this vulnerability, its exploitation, and links to original references and code snippets for better understanding.

Exploit Details

The vulnerability is found in the startNextMatchingActivity method of the ActivityTaskManagerService.java file and can be exploited using a logic error in the code. This particular method is responsible for handling the sequence of activities within the Android application and ensuring that certain restrictions are in place for security purposes.

Code Snippet: Vulnerable Function in ActivityTaskManagerService.java

`java
public boolean startNextMatchingActivity(IBinder token, Intent intent, Bundle options) {
enforceNotIsolatedCaller("startNextMatchingActivity");
synchronized (this) {
ActivityRecord r = mRootActivityContainer.isInAnyStackLocked(token);
...
TaskRecord task = r.getTaskRecord();
...
if (!task.matchingActivityExists(intent, r.info)) {
return false;

Timeline

Published on: 02/16/2024 02:15:51 UTC
Last modified on: 02/16/2024 13:37:51 UTC