[~]mobilehackerforhire$ hire --now
    Technical terminal background
    CVE-2023-20963
    14 min mhfh research 2023-04-02

    WorkSource Parcel Mismatch — Android In-the-Wild LPE

    Dissecting the parcel/unparcel mismatch abused by commercial spyware. Building a reliable exploit against Android 11–13.

    $cat snippet_cve-2023-20963.sh
    Parcel p = Parcel.obtain();
WorkSource ws = new WorkSource();
p.writeInt(0x1337);
ws.readFromParcel(p);
ws.writeToParcel(p2, 0);

    Overview

    CVE-2023-20963 exploits an asymmetric writeToParcel / readFromParcel in WorkSource to smuggle attacker-controlled bytes into a privileged process.

    Trigger

    $cat output.java
    Parcel p = Parcel.obtain();
WorkSource ws = new WorkSource();
p.writeInt(0x1337);
ws.readFromParcel(p);
ws.writeToParcel(p2, 0);

    Field overlap

    Because the read consumes fewer bytes than the write produces, the next field in the IPC payload is partially attacker-controlled. We use this to overlap a Bundle key parser and reach a deserialization gadget in system_server.

    Mitigation

    March 2023 Android patch level or later.

    #Android#LPE#Parcel