CVE-2023-30731 is a critical vulnerability in Samsung's fork of AOSP, OneUI, discovered by security researcher, Cody "K0mraid" Stobaugh in 2023. This vulnerability allows a physical attacker to install an application with a different build type than the device is currently running. This allows an attacker to install malicious packages that could lead to local root access on the device, sensitive data exposure, keylogging, hidden call recording, and control of the device at a firmware level that is typically only accessible to engineers or development devices.

This was validated with the installation of non-production packages, done by exploiting a vulnerability that exists on Samsung Android devices pre-2024 in the context of how they handle package installations and package signatures. The vulnerability itself lies in one of Samsungs proprietary security control systems, AASA/ASKS.

Samsung has released a patch for the vulnerability in the October 2023 security maintenance release.

Links
Samsung Security Blog
NVD
NO PoC PUBLICALLY RELEASED

 --K0mraid

Way back in 2019, a vulnerability that would come to be known as "CVE-2019-16253" was found that affected Samsung's TTS (Text-To-Speech) engine in versions prior to 3.0.02.7. This exploit allowed for a local attacker to escalate privileges to system privileges and was later patched by Samsung.

Essentially, Samsung's TTS application, which runs with "u:r:system_app:s0" SELinux context, would blindly accept any data that it received from the TTS engine. You can pass the TTS engine a library that will then be given to the TTS application, which in turn will then load that library and execute it with system privileges under UID 1000, which is "System" on Android. This was later patched so that the TTS app would supposedly verify the data coming from the engine, and the version installed, closing this particular loophole.

However, with Android 10, Google introduced a new suite of debugging tools, one of which was the ability to roll back an application by installing it with the ENABLE_ROLLBACK parameter. This allows the user to revert a version of an app installed on the device to a previous version of the app, including versions that were lower than what shipped with the device(s). I believe an oversight has allowed this to extend to Samsung's text-to-speech application, as well as any other application on Android 10-12 devices currently in the wild.

The root of this kill chain all comes back to the '-d' flag added to the package-manager command when installing an application from ADB. It should only work for debuggable apps, however, it was found to work for production applications as well and that is what allowed the TTS app to be downgraded forcefully.

In other words, while the TTS exploit in 2019 was fixed and an updated version of the TTS app was distributed, The AOSP Package Manager flaw is what allowed me to revive the 2019 exploit via Lockheed Martin's "Kill-Chain" methodology. My research spurred multiple variants and spin-offs to install and exploit this flaw on devices released three (and perhaps four) years later, and sparked intense research into AOSP's package manager program, leading to questions on how many past exploits are revivable. 

In March of 2023, Samsung released a patch for the exploit, however, I was able to quickly find a workaround for the March Samsung patch and this too has since been reported and patched, as well, concluding the 1 & 1/2 year saga of the infamous "TTS System Shell"

Links
Link to PoC on GitHub

 --K0mraid