More info about system activity

[Xiro28]

Hello,

I'm a master student of UNICAL. I was wondering if it was possible to start user crafted activities with system privilege so I can use it to inject a payload (I have to play a little bit with the face recognition). I'm asking this due to an exam project which has as a topic to hack devices (my device is a nexus 5 with android 6.0.1).

Thanks!

[michalbednarski]

As noted elsewhere, by "start Activity as system" I mean having system perform startActivity(attackerControlledIntent), not that launched Activity will be running as anything other than it'd usually run

Since your test device is quite old, chances are you'd be able to find existing exploit that it is vulnerable against, although I haven't looked

If you'd like trying to write an exploit allowing loading your Java code into some other app on that device, I'd suggest CVE-2016-3912 (bulletin, patch) (according to factory image your device should be vulnerable, although you should check by decompiling services.jar and comparing it against patch). I believe exploiting that bug won't be too hard (although definitely not trivial)

As an aside, since you're targeting old Android version, LaunchAnywhere bugs may perform Uri Grants, something that was later disallowed in Android 8.0

[Xiro28]

Thank you so much for that explanation, I'll try with Uri grant since it's my goal to access to system data (I have to bypass 2d face recognition so my first idea was to patch on ram the FULFaceLockUtil from com.google.facelock). But now I'm thinking to replace the facelock.gal with the attacker one or something similar to that.

The vulnerability that you provided it's really nice one but since I wanted to explain how the parcel bug still persist on android 13/14 (in different way but it's almost the same component) I think I'll stick with the Uri grants.