wrlu security

Introduction There is an issue with incorrect transmission of authentication information in the start-in-vsync command of ActivityManagerShellCommand, which allows launching any unexported Activity in the system through this interface, enabling a LaunchAnyWhere (LAW) attack. Vulnerability Analysis The code is relatively simple: //… case “start”: case “start-activity”: return runStartActivity(pw); case “start-in-vsync”: final ProgressWaiter waiter = new…

Preface For the exploitation of the LaunchAnyWhere vulnerability, the traditional approach is to convert the system uid FileProvider to arbitrary file read/write permissions with system_app privileges. Unfortunately, Android has mitigation measures here, which do not allow system and root uids to arbitrarily grant URI permissions to other uids. There have been cases where manufacturers opened…

Background Google finally disclosed the CVE-2024-40673 vulnerability I discovered earlier in the October 2024 Android Security Bulletin, classifying it as a high-severity vulnerability with RCE potential. The discovery of this vulnerability was somewhat serendipitous, so today I’ll talk about CVE-2024-40673. CVE-2017-13156 Since the title is "The Return of the Janus Vulnerability", it’s necessary to first…

Background Information disclosure from binder IPC is no longer a new vulnerability among Android OEMs. This is mainly because these OEMs tend to develop features like multi-screen collaboration that involve modifications to "Window" and "Activity". However, the two identical vulnerabilities I encountered this time still intrigued me, so I’d like to share them with you.…

目标 分析AOSP中关于通知排序的代码，了解Android通知排序机制。

背景 对于以低于 Android 13 的版本的 SDK 为目标平台的应用，在应用创建至少一个 NotificationChannel 后，拦截首次 activity 启动以显示权限提示，询问用户是否想要接收来自应用的通知。简单来说就是targetSDK在Android 13以前的应用，如果至少有一个NotificationChannel，则在首次Activity启动时会自动弹出通知权限授权。主要分析该机制的原理。来源：https://source.android.com/docs/core/display/notification-perm

前言 我们都知道Android应用程序依赖Binder IPC接口和系统服务通信来完成各种操作，使用系统的各项功能。因为system_server进程中的系统服务负责了Android中许多重要的活动，例如组件、权限等的管理等，所以在OEM实现它们自己的ROM的时候，多多少少会选择为系统服务定制一些供内部使用的接口，从而方便系统级应用或是特定应用实现它们本没有权限进行的一些操作。本文主要记录了不同厂商实现这类接口的偏好，并讨论一些潜在的风险。

背景 后台Activity启动限制是Google在Android 10中引入的一个机制，主要目的是防止对用户的打扰。官网说明：Restrictions on starting activities from the background。OPPO的公众号对后台Activity启动有更多的描述，可参考：恶意App后台弹窗技术手法分析

Preface This is a relatively old issue. This article records the process of my previous analysis. Vulnerability Description I won’t explain the AccountManager LaunchAnyWhere vulnerability here; let’s directly look at the checkKeyIntent method: /** * Checks Intents, supplied via KEY_INTENT, to make sure that they don’t violate our * security policy. * * In particular…

Preface In versions prior to the Android security patch level of March 1, 2023, the android.os.WorkSource type has a Parcelable deserialization vulnerability. An attacker who successfully exploits this vulnerability can send arbitrary Intents as the system user. Regarding this vulnerability, Google stated in its security bulletin: There are indications that CVE-2023-20963 may be under limited,…