Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-31317 PoC — Google Android 安全漏洞

Source
https://github.com/agg23/cve-2024-31317
Associated Vulnerability
Title:Google Android 安全漏洞 (CVE-2024-31317)
Description:In multiple functions of ZygoteProcess.java, there is a possible way to achieve code execution as any app via WRITE_SECURE_SETTINGS due to unsafe deserialization. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.
Description
Detailed discussion of Zygote vulnerability CVE-2024-31317
Readme
# Exploration of CVE-2024-31317

CVE-2024-31317 provides unpriviledged access to any uid and SELinux scope available to proper Android apps. This provides access to uid 1000 (`system`) and uid 2000 (`shell`), and can be triggered entirely from an unpriviledged app, allowing for persistence of any functionality using it.

- [Explanation](explanation.md)
- [Zygote Arguments](arguments.md)
- [Emulator Setup](./emulator/)

## Availability

This exploit should apply to most Android versions [prior to the June 2024 security patch](https://source.android.com/docs/security/bulletin/2024-06-01) and Android 9+. Some vendors may have cherry picked this change into older versions. Specifically, this means Android 9-14 with a security patch of 2024-06-01 or lower.

The vulnerability is trivial for Android versions 11 and below. See [the attached sources](#sources) for implementation instructions on pre-12 versions.

## Derived Access

`shell` priviledge should be the same as access directly via `adb shell`. `system` priviledge is more questionable. [@oddbyte](https://github.com/oddbyte) is [maintaining a list](https://github.com/oddbyte/android-system) of available `system` access, specifically relating to this vulnerability. The default prop context permissions are listed in [`property_contexts`](https://android.googlesource.com/platform/system/sepolicy/+/main/private/property_contexts) and [`system_app.te`](https://android.googlesource.com/platform/system/sepolicy/+/main/private/system_app.te).

## Sources

This research has heavily been based on the following sources and the actual Android source code:

- [Becoming any Android app via Zygote command injection (Meta)](https://rtx.meta.security/exploitation/2024/06/03/Android-Zygote-injection.html)
- Unsure which is the original
  - [The Return of Mystique?... (dawnslab)](https://dawnslab.jd.com/the_return_of_mystique)
  - [The Return of Mystique?... (Flanker Sky)](https://blog.flanker017.me/cve-2024-31317/)
- [Gist and discussion (rabits)](https://gist.github.com/rabits/ecae96c256cb25726b2bb92c73f9c081)
- [Gist and discussion (ybtag)](https://gist.github.com/ybtag/db3f3595139556c773fb94b7cbe668b5)
- [Exploit demonstration app](https://github.com/oddbyte/CVE-2024-31317)
File Snapshot

 [4.0K]  /data/pocs/ddc88e7743e2866fba4711c3e2deb1590a0a1dbc
├── [ 13K]  arguments.md
├── [4.0K]  emulator
│   ├── [ 682]  install.sh
│   ├── [ 18K]  package.xml
│   ├── [2.4K]  README.md
│   └── [ 45K]  zygote.patch
├── [ 19K]  explanation.md
├── [1.0K]  LICENSE
└── [2.2K]  README.md

1 directory, 8 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →