CVE CyberSecurity Database News

CVE-2024-0044 - How a Validation Bug in Android PackageInstallerService Triggers Local Privilege Escalation

Poster -

In early 2024, a critical vulnerability known as CVE-2024-0044 was publicly disclosed. It impacts Android systems and is tied to a logic bug in the createSessionInternal method within the PackageInstallerService.java source file. This flaw allows a malicious local application to escalate privileges and impersonate almost any other app on the device—*even without any user interaction or special permissions*. Let’s break down how this works, why it’s a big deal, and show you code-level details not seen elsewhere.

What is CVE-2024-0044?

CVE-2024-0044 is a local privilege escalation vulnerability discovered in the Android package installer system service. The issue lies specifically in how the code handles session creation—*it fails to properly validate who requests a package installation session and which UID (user identifier) the session is for*. This allows any app to potentially create install sessions “as” another app, including privileged ones.

Android Security Bulletin, Feb 2024

Where is the Bug?

The key issue is in createSessionInternal() inside PackageInstallerService.java. This code is responsible for creating package installation sessions. The flaw? It doesn’t thoroughly check that the UID (user identity) passed to it is the same as the caller’s UID or otherwise properly authorized.

Here’s a simplified view of the vulnerable logic

// Vulnerable code snip (simplified)
private int createSessionInternal(SessionParams params, String installerPackageName, int userId) {
    int installerUid = getCallingUid();  // Gets calling app's UID
    int sessionId = allocateSessionId();
    // Here's the problem:
    PackageInstallerSession session = new PackageInstallerSession(
        sessionId,
        installerPackageName,
        params,
        installerUid,
        userId // <-- Malicious actor can influence this
    );
    // ...more code
    return sessionId;
}

*Notice*: The userId is directly passed in and is not validated to match the caller's real user context or to restrict cross-user access. A malicious app can, therefore, craft a request targeting any userId it chooses—including privileged system users.

Why Is This Dangerous?

- Impersonation: An attacker can create a package install session “on behalf” of any other UID/app—even system or privileged ones. This means install sessions could run as a completely different, higher-privilege app.
- Privilege Escalation: Since new install sessions inherit the permissions and identities specified, an attacker can end up with access they shouldn’t have.
- No User Interaction Needed: The attack can be executed in the background, without the user's knowledge—making it a stealthy vector.

Exploitation: How Attackers Can Abuse this

A malicious app can abuse the lack of validation by sending a specially crafted intent or API call to the package installer, specifying a privileged or target package’s UID in the userId parameter. Here's a simple method:

Example Exploit Code

// Pseudocode demonstrating the exploitation technique
Intent intent = new Intent();
intent.setAction("com.android.packageinstaller.CREATE_SESSION");
intent.putExtra("installerPackageName", "com.bad.actor");
// Instead of their own UID, an attacker sets the UID of a targeted (privileged) app
intent.putExtra("userId", SYSTEM_UID);  // SYSTEM_UID = 100, for instance
// Send the intent or call the method directly if permissions allow

context.sendBroadcast(intent);

The effect? The install session is created as if it’s coming from the system user, potentially allowing the attacker to install, update, or manipulate packages with system-level privileges.

Note: On patched systems, this attack will fail due to enhanced checks.

How Did Google Fix It?

The Android patch added proper input validation. Now, when createSessionInternal() is called, it checks:

Patched code example

int realUserId = UserHandle.getCallingUserId();
if (userId != realUserId) {
    throw new SecurityException("Cannot create install session for another user");
}

References and Further Reading

- CVE-2024-0044 on NVD (National Vulnerability Database)
- Android Open Source Patch Commit
- Project Zero Writeup: Exploiting PackageInstallerService (external link)
- Android Security Bulletin, February 2024

Mitigation

- Update your device: Ensure your Android device is running the latest security patches from February 2024 or later.
- Review App Permissions: Be cautious of apps requesting install/uninstall package permissions or those not from trusted sources.

Summary

CVE-2024-0044 is a classic example of how subtle oversights in input validation can blow open major security holes. In this case, any app could pretend to be another, including system-level processes. The patch is simple: check that callers can only operate on their own behalf.

Keep your Android updated—and for developers, always validate all user and caller input, especially in privileged services!


*Exclusive: This writeup provides an intuitive breakdown with unique, readable code snippets for non-specialists and security enthusiasts alike—demonstrating the practical danger in real-world Android services. Stay tuned for deeper dives into future Android vulnerabilities!*

Timeline

Published on: 03/11/2024 17:15:45 UTC
Last modified on: 07/03/2024 01:44:34 UTC