CVE CyberSecurity Database News

CVE-2024-34743 - Exploiting a Tapjacking Vulnerability in Android’s SurfaceFlinger (Easy Privilege Escalation)

Poster -

A critical vulnerability (CVE-2024-34743) has been found in Android’s core SurfaceFlinger service, specifically in the setTransactionState function of SurfaceFlinger.cpp. This bug introduces a logic error that enables a straightforward local privilege escalation (LPE)—even *without* user interaction or additional privileges. In this exclusive article, we'll break down how this exploit works using plain, easy-to-understand language. We'll also provide a code snippet to show where the error happens and guide you to relevant original references.

If you care about Android security—or just want to understand how “tapjacking” can be abused at the OS level—read on.

SurfaceFlinger and Tapjacking: What’s the Deal?

SurfaceFlinger is at the heart of Android’s display system. It manages the composition and display of Android windows. When you switch apps or animations happen, SurfaceFlinger is working behind the scenes.

“Tapjacking” usually means overlaying an invisible layer above a legitimate one to trick a user into tapping something they didn't mean to. But with this bug, we go one step further: there's no need to trick the user at all. The vulnerability allows an attacker to *programmatically* overlay content and escalate their privileges, all silently.

Exploit Details: The Heart of the Issue

The vulnerability lives in the setTransactionState method of SurfaceFlinger.cpp.

Here’s the simplified logic flow in pseudocode (not actual Android code, but close)

void SurfaceFlinger::setTransactionState(const Vector<ComposerState>& states) {
    for (const ComposerState& state : states) {
        Layer* layer = getLayerById(state.id);
        if (layer == nullptr) continue;

        // Logic bug: incorrect validation of transaction source and permissions
        if (state.isTrusted || callingPidHasOverlayPermission()) {
            layer->applyState(state); // This can set overlay above critical UI
        }
    }
}

The Problem

There is insufficient validation before allowing a layer from a non-privileged process to *apply state changes*—including raising itself above secure or system-critical UI elements like the lock screen or system dialogs.

An attacker can create a specially crafted transaction that lifts their window’s Z-order (visual stacking) over others. As a result, the attacker’s overlay can impersonate clicks, obscure security prompts (like system permissions or lock screens), and even trick the system into performing privileged actions—all without user interaction.

Craft Malicious App: An app running locally (no special privileges needed).

2. Submit Special Transaction: The app sends a transaction via the SurfaceFlinger service to raise its layer above sensitive UI, exploiting the logic flaw in validation.
3. Overlay System UI: The malicious window now sits above lock screens, security dialogs, or system alerts.
4. Escalate Privileges: The overlay can capture, simulate, or hijack system interactions—leading to local privilege escalation.

This can happen completely *silently* in the background, without any taps, confirmation, or even awareness by the user.

Code Sample: Vulnerable Logic in Real SetTransactionState

Here's a snippet inspired by the real Android AOSP code (see the real source on AOSP SurfaceFlinger.cpp):

// SurfaceFlinger.cpp (simplified example)
status_t SurfaceFlinger::setTransactionState(...) {
    ...
    if (!callerHasOverlayPermission(callingPid)) {
        // LOGIC ERROR: insufficient privilege check!
        // Should verify not only overlay permission but also context
    }

    // Attacker can set this layer 'on top' of critical UI
    layer->setZOrder(HIGH_PRIORITY_Z);

    // Layer appears above even system windows
    ...
}

Android Security Bulletin, June 2024:

https://source.android.com/docs/security/bulletin/2024-06-05

AOSP ServiceFlinger Source:

https://android.googlesource.com/platform/frameworks/native/+/main/services/surfaceflinger/SurfaceFlinger.cpp

Official CVE Record:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34743

How to Mitigate

- Update Immediately: Google has patched this bug in official updates. Check your device manufacturer for security patch level June 2024 or later.
- App Awareness: Be cautious of apps requesting overlays (“draw over other apps” permission). But note: With this bug, even regular apps *without* overlay permission may exploit the flaw.
- Enterprise Devices: Enforce device policies that restrict untrusted APKs and apply security updates promptly.

Conclusion

CVE-2024-34743 is a striking demonstration of how a small logic oversight in privileged system code—deep inside SurfaceFlinger—can enable high-impact tapjacking and LPE without user interaction. If you’re a developer or security professional, review your validation logic, always check for privilege boundaries, and keep up with upstream security fixes.

For more technical breakdowns and Android security news, stay tuned!


*This post is exclusively written to explain CVE-2024-34743, combining original research and simplified explanations for the community.*

Timeline

Published on: 08/15/2024 22:15:06 UTC
Last modified on: 08/19/2024 20:35:16 UTC