Exploit for Deserialization of Untrusted Data in Google Android CVE-2024-31317

Name: Exploit for Deserialization of Untrusted Data in Google Android CVE-2024-31317
Rating: 5 (227 reviews)
2025-04-26 | CVSS 7.8
## https://sploitus.com/exploit?id=375FFD74-4E7A-5B93-BC2D-3258DF1A422B
# Exploration of CVE-2024-31317

CVE-2024-31317 provides unpriviledged access to any uid and SELinux scope available to proper Android apps. This provides access to uid 1000 (`system`) and uid 2000 (`shell`), and can be triggered entirely from an unpriviledged app, allowing for persistence of any functionality using it.

- [Explanation](explanation.md)
- [Zygote Arguments](arguments.md)
- [Emulator Setup](./emulator/)

## Availability

This exploit should apply to most Android versions [prior to the June 2024 security patch](https://source.android.com/docs/security/bulletin/2024-06-01) and Android 9+. Some vendors may have cherry picked this change into older versions. Specifically, this means Android 9-14 with a security patch of 2024-06-01 or lower.

The vulnerability is trivial for Android versions 11 and below. See [the attached sources](#sources) for implementation instructions on pre-12 versions.

## Derived Access

`shell` priviledge should be the same as access directly via `adb shell`. `system` priviledge is more questionable. [@oddbyte](https://github.com/oddbyte) is [maintaining a list](https://github.com/oddbyte/android-system) of available `system` access, specifically relating to this vulnerability. The default prop context permissions are listed in [`property_contexts`](https://android.googlesource.com/platform/system/sepolicy/+/main/private/property_contexts) and [`system_app.te`](https://android.googlesource.com/platform/system/sepolicy/+/main/private/system_app.te).

## Sources

This research has heavily been based on the following sources and the actual Android source code:

- [Becoming any Android app via Zygote command injection (Meta)](https://rtx.meta.security/exploitation/2024/06/03/Android-Zygote-injection.html)
- Unsure which is the original
  - [The Return of Mystique?... (dawnslab)](https://dawnslab.jd.com/the_return_of_mystique)
  - [The Return of Mystique?... (Flanker Sky)](https://blog.flanker017.me/cve-2024-31317/)
- [Gist and discussion (rabits)](https://gist.github.com/rabits/ecae96c256cb25726b2bb92c73f9c081)
- [Gist and discussion (ybtag)](https://gist.github.com/ybtag/db3f3595139556c773fb94b7cbe668b5)
- [Exploit demonstration app](https://github.com/oddbyte/CVE-2024-31317)