In this post, we will discuss a newly discovered vulnerability identified as CVE-2024-40672, which affects Android devices. This vulnerability enables potential attackers to bypass factory reset protection (FRP) within the ChooserActivity.java file. The vulnerable code is due to a missing permission check, resulting in a local escalation of privilege without requiring additional execution privileges. Moreover, user interaction is not necessary for exploitation, further increasing the risk level.
Before diving into the details, it's essential to understand what factory reset protection (FRP) is. FRP is a security feature designed to protect an Android device from unauthorized access after a factory reset. This ensures that even if thieves or others obtain possession of the device, they still cannot access the data or perform unauthorized functions without the user's credentials.
Now, let's analyze the vulnerable code and exploit details, followed by investigating the original references of this security issue.
Vulnerable Code Snippet
The vulnerability lies within the ChooserActivity.java, more specifically, in the onCreate method. The code snippet below displays the relevant lines:
protected void onCreate(Bundle savedInstanceState) {
...
// Check if the intent source device admin is allowed.
if (!checkIfAllowedSourceDeviceAdmin()) {
if (startedFromLauncherOrResolverAdvanced()) {
...
} else {
...
}
}
...
}
The problem arises when the checkIfAllowedSourceDeviceAdmin() method is not properly checking for the appropriate permission, as seen in the code above. This leaves the door open for an attacker to exploit this and gain unauthorized access to the Android device, bypassing the factory reset protection.
Original References
1. Official Android Security Bulletin: https://source.android.com/security/bulletin
2. CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40672
3. Android Source Code: https://android.googlesource.com/platform/frameworks/base/+/master/services/core/java/com/android/server/utils/ChooserActivity.java
Exploit Details
As mentioned earlier, user interaction is not required for exploiting this vulnerability, which potentially makes it even more dangerous. An attacker could use a carefully crafted application or malware that targets the ChooserActivity.java file, specifically exploiting the missing permission check in the onCreate method.
By exploiting this vulnerability, the attacker could gain unauthorized access to the user's Android device, even if factory reset protection is enabled. This could lead to data theft, manipulation of the device's settings, or further exploitation of other security weaknesses on the user's device.
Mitigation Strategies
To prevent exploitation of this vulnerability, users should ensure they are running the latest Android security patches available for their device and follow security best practices for Android devices. Developers working with the Android source code should also familiarize themselves with secure coding techniques to avoid introducing similar vulnerabilities in their apps.
In conclusion, CVE-2024-40672 is a significant security issue affecting Android devices, allowing attackers to bypass factory reset protection by exploiting a missing permission check in the ChooserActivity.java file. Users are urged to keep their devices up-to-date with the latest security patches and follow safe Android device usage guidelines to minimize the risk of exploitation.
Timeline
Published on: 01/28/2025 20:15:49 UTC
Last modified on: 01/28/2025 21:15:17 UTC