In July 2024, Google engaged Calif to audit Android Automotive OS (AAOS) and Android Auto. The former is an infotainment platform built into your car. The latter is an Android system app that lets you use your phone's apps on your car's display.

This blog post, shared with Google’s permission, details an arbitrary code execution vulnerability (CVE-2024-10382) discovered in the Jetpack Car App Library during the audit.

Impact

This vulnerability allows for local privilege escalation on Android. An attacker must first install a malicious app with limited privileges on the target device. This malicious app can then exploit the vulnerable Jetpack Car App Library within other high-privileged apps. For instance, an app without message reading permissions could gain this access by exploiting the vulnerability.

The impact is significant due to the widespread use of the Jetpack Car App Library across numerous system apps and the Android Automotive platform. Successful exploitation could grant attackers complete control over affected apps and potentially the underlying system.

Jetpack Car App Library versions 1.4.0 and 1.7.0-beta2 are confirmed to be vulnerable. Any Android app exporting a CarAppService is also potentially vulnerable, including:

• Android Auto

• Android Dialer

• Android Messages

• Google Automotive App Host

• Google Home

• YouTube Music

• VLC for Android

• Waze

Remediation

• App developers: Update to Jetpack Car App Library version 1.7.0-beta03 or later.

• Android users: Update all affected apps to their latest versions.

Proof of concepts

Three PoCs were developed to showcase the exploitability of this vulnerability.

PoC 1: Google Automotive App Host

This PoC demonstrates a malicious app compromising Google Automotive App Host and executing a sleep command.

PoC 2: YouTube Music

This PoC showcases a malicious app compromising YouTube Music, establishing a reverse shell, and exfiltrating sensitive app data.

PoC 3: Android Auto

This PoC illustrates a malicious app compromising Android Auto and creating a reverse shell.

Vulnerability details

The vulnerability lies within the deserialization logic of CarAppService, a component of the Jetpack Car App Library that allows developers to create car applications. This logic enables the construction of arbitrary Java classes, potentially leading to remote code execution (RCE) when coupled with specific deserialization gadgets.

A future blog post will delve deeper into the technical aspects of the vulnerability and its exploitation.

Disclosure timeline

• Sep 24, 2024: Calif reported the vulnerability to Google (https://issuetracker.google.com/issues/369441755).

• Nov 13, 2024: Google released Jetpack Car App Library 1.7.0-beta03 to address the vulnerability.

• Nov 20, 2024: CVE-2024-10382 was assigned and publicly disclosed.

• Dec 10, 2024: Calif requested permission to publish this blog post.

• Dec 18, 2024: Google granted Calif permission to publish the blog post.

• Jan 10, 2024: This blog post was made public.