关联漏洞
标题:
Google Android 安全漏洞
(CVE-2024-31317)
描述:Google Android是美国谷歌(Google)公司的一套以Linux为基础的开源操作系统。 Google Android 存在安全漏洞,该漏洞源于 ZygoteProcess.java 文件的 multiple 方法存在不安全的反序列化,有可能通过 WRITE_SECURE_SETTINGS 以任何应用程序的身份实现代码执行。
描述
Detailed discussion of Zygote vulnerability CVE-2024-31317
介绍
# Exploration of CVE-2024-31317
CVE-2024-31317 provides unpriviledged access to any uid and SELinux scope available to proper Android apps. This provides access to uid 1000 (`system`) and uid 2000 (`shell`), and can be triggered entirely from an unpriviledged app, allowing for persistence of any functionality using it.
- [Explanation](explanation.md)
- [Zygote Arguments](arguments.md)
- [Emulator Setup](./emulator/)
## Availability
This exploit should apply to most Android versions [prior to the June 2024 security patch](https://source.android.com/docs/security/bulletin/2024-06-01) and Android 9+. Some vendors may have cherry picked this change into older versions. Specifically, this means Android 9-14 with a security patch of 2024-06-01 or lower.
The vulnerability is trivial for Android versions 11 and below. See [the attached sources](#sources) for implementation instructions on pre-12 versions.
## Derived Access
`shell` priviledge should be the same as access directly via `adb shell`. `system` priviledge is more questionable. [@oddbyte](https://github.com/oddbyte) is [maintaining a list](https://github.com/oddbyte/android-system) of available `system` access, specifically relating to this vulnerability. The default prop context permissions are listed in [`property_contexts`](https://android.googlesource.com/platform/system/sepolicy/+/main/private/property_contexts) and [`system_app.te`](https://android.googlesource.com/platform/system/sepolicy/+/main/private/system_app.te).
## Sources
This research has heavily been based on the following sources and the actual Android source code:
- [Becoming any Android app via Zygote command injection (Meta)](https://rtx.meta.security/exploitation/2024/06/03/Android-Zygote-injection.html)
- Unsure which is the original
- [The Return of Mystique?... (dawnslab)](https://dawnslab.jd.com/the_return_of_mystique)
- [The Return of Mystique?... (Flanker Sky)](https://blog.flanker017.me/cve-2024-31317/)
- [Gist and discussion (rabits)](https://gist.github.com/rabits/ecae96c256cb25726b2bb92c73f9c081)
- [Gist and discussion (ybtag)](https://gist.github.com/ybtag/db3f3595139556c773fb94b7cbe668b5)
- [Exploit demonstration app](https://github.com/oddbyte/CVE-2024-31317)
文件快照
[4.0K] /data/pocs/ddc88e7743e2866fba4711c3e2deb1590a0a1dbc
├── [ 13K] arguments.md
├── [4.0K] emulator
│ ├── [ 682] install.sh
│ ├── [ 18K] package.xml
│ ├── [2.4K] README.md
│ └── [ 45K] zygote.patch
├── [ 19K] explanation.md
├── [1.0K] LICENSE
└── [2.2K] README.md
1 directory, 8 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。