CVE-2024-0037 - How a Simple Missing Permission Check in SaveUi.java Can Leak Your Images
*CVE-2024-0037 details a vulnerability in Android's SaveUi.java that's easy to miss, but potentially damaging for privacy. In this article, we'll break down what happened, how the bug works, show sample code, share references, and explain step-by-step how an attacker might exploit it—all in plain language.*
What is CVE-2024-0037?
CVE-2024-0037 is a security flaw found in the applyCustomDescription method of Android's SaveUi.java. This flaw makes it possible for a local malicious application to view images belonging to a different user on the same device. The problem arises from a missing permission check. No user interaction is required: all the attacker needs is to already have code running as a normal app.
Understanding the Bug
In multi-user Android setups, each user's files and data are supposed to be isolated for privacy. The UI for saving autofill entries (SaveUi.java) handles attaching images as custom descriptions. However, it fails to confirm that your app is authorized to access images that might belong to another user. Without this check, a sideloaded app can access sensitive images that aren't theirs.
The critical point:
If an app calls applyCustomDescription with a reference to another user's image, Android will process and display or copy that image without any extra validation.
Here's a simplified (and eye-opening) snippet based on the affected method in SaveUi.java
// From SaveUi.java (pseudo-simplified)
void applyCustomDescription(View view, CustomDescription desc) {
ImageView imageView = view.findViewById(R.id.image);
// No check to see if 'desc.image' belongs to the current user
Bitmap userImage = BitmapFactory.decodeFile(desc.imagePath);
imageView.setImageBitmap(userImage); // <-- Where the leak happens!
}
The issue: The code simply loads the image (from disk or elsewhere), *no* questions asked about ownership or permission.
Attack Scenario
1. The attacker writes an app that knows (or guesses) file paths used by another user, such as /data/user/10/com.example.pictures/private.png.
Their app initiates a save action that attaches a "custom description" referencing that file path.
3. When Android's autofill SaveUi pops up, the vulnerable method runs and loads the image—even though the attacker isn't the owner.
No user interaction required:
No notification, no popup—silent leak!
Proof-of-Concept: Simulating the Attack
Here's a minimal demonstration (POC), showing how an app might trick the system into leaking another user's images:
String victimImagePath = "/data/user/10/com.victim.app/files/private_image.png";
// Prepare a CustomDescription pointing to the sensitive image
CustomDescription desc = new CustomDescription();
desc.imagePath = victimImagePath;
// Request SaveUi with the malicious description
applyCustomDescription(mySaveUiView, desc);
// At this point, the image from victim's folder is shown/copied!
With the proper permissions on a rooted or test device, you can demonstrate how the image appears, even though the app has no rights to see it.
Technical Reference Links
- Android Security Bulletin—CVE-2024-0037
- SaveUi.java Source (AOSP GitHub)
- AutofillService Documentation
- Mitre CVE Database (CVE-2024-0037)
The fix is simple: add a permission check before loading the image
void applyCustomDescription(View view, CustomDescription desc) {
if (!hasPermission(desc.imagePath)) {
throw new SecurityException("Not authorized to view image!");
}
// ...rest of the code
}
Android has officially patched this by enforcing such checks, so always keep your device up to date.
Conclusion
CVE-2024-0037 is a classic example of how a missing small check can have big consequences for user privacy. *If you use multiple user accounts on Android, update your device as soon as possible!*
*This post is for educational purposes only. Exploiting such bugs is illegal and unethical. Always report vulnerabilities through official channels!*
Timeline
Published on: 02/16/2024 02:15:51 UTC
Last modified on: 11/26/2024 16:29:39 UTC