_Discovered in mid-2024, CVE-2024-40656 exposes a local information leak risk on Android platforms. A flaw in ConnectionServiceWrapper.java's handleCreateConferenceComplete method lets malicious apps trick the system into revealing users’ private images. No advanced permissions or malware execution are needed—just user interaction._
Understanding the Issue
A confused deputy attack is when an app with limited permissions leverages a more privileged component to do something it shouldn’t—here, to access images belonging to other users. This is exploitable by third-party calling or conferencing apps using Android’s ConnectionService APIs.
When a conference call is established, ConnectionServiceWrapper is supposed to handle internal call state. But its handleCreateConferenceComplete function can mistakenly let one app request and access images from another user’s context.
Let’s zoom in on the method (as of Android 14 AOSP)
// ConnectionServiceWrapper.java (simplified)
private void handleCreateConferenceComplete(Message msg) {
SomeResult result = (SomeResult) msg.obj;
if (result.hasConference()) {
IConnectionService connectionService = result.getService();
if (connectionService != null) {
// [Potentially problematic call]
// Images can be attached via extras, but these come from other users
Bundle extras = result.getConferenceExtras();
connectionService.onConferenceCreated(
result.getConferenceId(), extras);
}
}
}
The flaw: getConferenceExtras() may include URIs or pointers to images belonging to another user or profile. The onConferenceCreated(...) call gives this bundle to another process under the system’s authority, bypassing the app’s own restricted permissions.
If a malicious (or hijacked) CallingService misuses this, it can grab and store these images.
User Action: User initiates a conference call using a legitimate app.
3. Confused Deputy: System invokes handleCreateConferenceComplete, attaching extras (possibly URIs like content://user_images/123).
4. Exfiltration: Malicious service receives onConferenceCreated, fetches the image using inherited permissions.
Minimal Exploitation Code (Example)
// Inside attacker’s ConnectionService
@Override
public void onConferenceCreated(String conferenceId, Bundle extras) {
Uri imageUri = extras.getParcelable("image_uri");
if (imageUri != null) {
InputStream is = getContentResolver().openInputStream(imageUri);
// Save to app storage or upload
saveImageToAppStorage(is);
}
}
private void saveImageToAppStorage(InputStream is) {
// Write the image locally or upload as needed
}
How to Test If You're Affected
- Device must allow third-party phone/conference apps.
- Install a proof-of-concept app as secondary user/app.
- Start/join conference—monitor for leaks in /storage/emulated//Android/data/[attacker package]/.
Mitigation and Fixes
- Google Android security patch _(see Android Security Bulletin - June 2024)_
- Makes sure only same-user images/URIs are passed and restricts extra sharing.
- De-prioritizes images in Bundle unless from matching user profile/app.
Developers: Always validate bundles & strip sensitive data in ConnectionService implementations.
- Users: Avoid side-loading untrusted communications/calling apps.
References
- CVE-2024-40656 NVD Entry
- Android Open Source Issue Tracker (May require Google account)
- Android Security Bulletin - June 2024
- AOSP ConnectionServiceWrapper.java (reference)
Summary
CVE-2024-40656 highlights how system APIs can be confused into leaking sensitive data, like users’ private images, across app boundaries. Even without extra permissions, attacker apps able to register for telephony can exfiltrate information during ordinary conference calls—so update ASAP if your device is affected. Developers: always audit how information is shared between apps, especially via system services!
Timeline
Published on: 09/11/2024 00:15:11 UTC
Last modified on: 11/04/2024 17:35:21 UTC