A critical vulnerability in the Android operating system, identified as CVE-2024-31317, has been discovered, allowing attackers to exploit the Zygote process for malicious code execution with system-wide privileges.
This vulnerability, known as Zygote injection, affects devices running Android 11 or older, enabling attackers to escalate privileges from the shell user to the system user.
Background and Exploitation
The Zygote process is a crucial component of the Android runtime environment, responsible for forking all application and system-level processes.
It runs with system privileges, making it a prime target for attackers seeking to gain elevated access.
The vulnerability exploits a global setting called hidden_api_blacklist_exemptions, which is directly included in Zygote commands without proper escaping of newline characters.
According to the researchers, this oversight allows attackers to inject arbitrary Zygote commands, effectively enabling code execution with system-wide impact.
Exploitation of this vulnerability can be achieved through the Android Debug Bridge (ADB) shell, which possesses the necessary WRITE_SECURE_SETTINGS permission to modify the hidden_api_blacklist_exemptions setting.
By injecting malicious commands into this setting, attackers can spawn processes with elevated privileges.
A proof-of-concept (PoC) demonstrates how this can be done by stopping the settings app, injecting a payload into the exemptions setting, and then restarting the app to execute the malicious commands.
The payload includes arguments that set the process user and group IDs to those of the system user, allowing for full system access.
Implications and Mitigation
The exploitation of this vulnerability can lead to significant security risks, including the potential for devices to enter a bootloop if not properly managed.
To mitigate these risks, it is crucial to avoid modifying the hidden_api_blacklist_exemptions setting unless absolutely necessary.
If a device enters a bootloop after exploitation, it can be recovered by deleting the modified setting via ADB shell and rebooting the device.
However, this will remove the injected payload, requiring the exploitation steps to be repeated for further access.
The discovery of this vulnerability highlights the importance of secure coding practices and rigorous testing in the development of mobile operating systems.
As Android continues to evolve, addressing such vulnerabilities promptly is essential to protect user data and maintain system integrity.
