CVE-2024-0038: A Deep Dive into Arbitrary Input Event Injection Vulnerability in injectInputEventToInputFilter of AccessibilityManagerService.java

CVE-2024-0038, recently discovered and reported, allows for arbitrary input event injection in Android devices due to a missing permission check in injectInputEventToInputFilter of AccessibilityManagerService.java. This vulnerability could potentially lead to local privilege escalation on affected devices, with no additional execution privileges needed. To make matters worse, user interaction is not required for this exploit to succeed. In this in-depth post, we will analyze the root cause of this vulnerability, provide code snippets for demonstration purposes, and discuss the potential impact of an attack.

Code Snippet

The root cause of the vulnerability lies in the injectInputEventToInputFilter method within the AccessibilityManagerService.java file. Here is a code snippet showcasing the problem:

public class AccessibilityManagerService extends IAccessibilityManager.Stub {
    // ...

    private void injectInputEventToInputFilter(InputEvent event) {
        if (mInputFilter != null && event != null) {        
            int policyFlags = event.getPolicyFlags();
            if ((policyFlags & POLICY_FLAG_PASS_TO_USER) == ) {
                mInputFilter.sendInputEvent(event, policyFlags | POLICY_FLAG_PASS_TO_USER);
            } else {
                mInputFilter.sendInputEvent(event, policyFlags);
            }
        }
    }
}

As we can see, there is no permission check performed in this method before the input event is sent to the input filter. This allows an attacker to inject arbitrary input events without proper permission checks.

For more information about this vulnerability, please refer to the following sources

1. The official CVE report: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0038
2. The Android Security Bulletin: https://source.android.com/security/bulletin/2024-01-01

Exploit Details

An attacker can exploit this vulnerability using a malicious app that does not require any special user permissions. This app would call the injectInputEventToInputFilter method in AccessibilityManagerService.java and pass an arbitrary input event. Since there is no permission check performed, the input event will be sent to the input filter and subsequently processed, potentially resulting in a local privilege escalation.

For example, an attacker could use this exploit to impersonate the user by sending fake key events or touch events, triggering unauthorized operations on the device.

Conclusion

The CVE-2024-0038 vulnerability poses a significant risk to Android users, as it can allow attackers to perform unauthorized operations on affected devices. It is crucial for Android developers to be aware of this issue and ensure that their apps perform proper permission checks when dealing with input events. Users should also ensure that their devices are up-to-date with the latest security patches to safeguard against this exploit.

Timeline

Published on: 02/16/2024 02:15:51 UTC
Last modified on: 02/16/2024 13:37:51 UTC