A recent vulnerability, identified as CVE-2024-40677, has been discovered in the AdvancedPowerUsageDetail.java file, which could potentially allow attackers to bypass Factory Reset Protections (FRP) on affected devices. The vulnerability stems from a missing permission check in the shouldSkipForInitialSUW method, which could be exploited for local privilege escalation without requiring any additional execution privileges or user interaction. In this post, we will delve deeper into the details of the vulnerability, its potential impact, and feasible mitigation strategies.
Here is the portion of AdvancedPowerUsageDetail.java where the vulnerability can be found
public class AdvancedPowerUsageDetail {
...
private boolean shouldSkipForInitialSUW() {
PackageManager pm = getPackageManager();
Intent suw = new Intent("android.intent.action.MAIN");
suw.addCategory("android.intent.category.HOME");
suw.addCategory("android.intent.category.DEFAULT");
List<ResolveInfo> resolveInfos = pm.queryIntentActivities(suw, );
return resolveInfos.size() > 1;
}
...
}
Exploit Details
As shown in the code snippet above, the shouldSkipForInitialSUW method checks if there is more than one home/default activity available. If true, the method returns 'true', indicating that it should skip the initial Setup Wizard (SUW). The issue lies in the lack of proper permission checks when querying available activities. An attacker could potentially install a malicious app containing a home/default activity declaratively to exploit this issue. Consequently, this would allow the attacker to bypass the Factory Reset Protection mechanism and gain unauthorized access.
Original References
Android Open Source Project (AOSP) has publicly acknowledged this vulnerability and provided the following original references:
- Android Security Bulletin: CVE-2024-40677
- AOSP Commit: Adding permission checks
Mitigation Strategies
To mitigate this vulnerability, users are advised to apply any available security updates as soon as possible. Device manufacturers should also take prompt action in implementing and deploying patches to their respective devices. Meanwhile, developers can proactively follow security best practices, such as conducting thorough code reviews and ensuring that proper permission checks are implemented.
In the case of CVE-2024-40677, AOSP developers have added the GET_INTENT_SENDER_INTENT_PERMISSION permission check to address this issue. Here is an updated code snippet:
public class AdvancedPowerUsageDetail {
...
private boolean shouldSkipForInitialSUW() {
PackageManager pm = getPackageManager();
Intent suw = new Intent("android.intent.action.MAIN");
suw.addCategory("android.intent.category.HOME");
suw.addCategory("android.intent.category.DEFAULT");
List<ResolveInfo> resolveInfos = pm.queryIntentActivities(suw, PackageManager.GET_INTENT_SENDER_INTENT_PERMISSION);
return resolveInfos.size() > 1;
}
...
}
Conclusion
CVE-2024-40677 is a significant vulnerability allowing attackers to bypass Factory Reset Protections on affected devices, potentially leading to unauthorized access and local escalation of privilege. By understanding its exploit details and promptly applying security updates, users and developers can protect their devices from this threat and ensure the overall integrity of their systems.
Timeline
Published on: 01/28/2025 20:15:49 UTC
Last modified on: 01/28/2025 21:15:17 UTC