[~]mobilehackerforhire$ hire --now
    cd ../tutorials
    root@mhfh:~#less posts/cve-2023-20963.md
    posts/cve-2023-20963.md
    CVE-2023-20963· 14 min · mhfh research · 2023-04-02

    WorkSource Parcel Mismatch — Android In-the-Wild LPE

    Dissecting the parcel/unparcel mismatch abused by commercial spyware. Building a reliable exploit against Android 11–13.

    #Android#LPE#Parcel
    $cat snippet.sh
    Parcel p = Parcel.obtain();
WorkSource ws = new WorkSource();
p.writeInt(0x1337);
ws.readFromParcel(p);
ws.writeToParcel(p2, 0);

    Overview

    CVE-2023-20963 exploits an asymmetric writeToParcel / readFromParcel in WorkSource to smuggle attacker-controlled bytes into a privileged process.

    Trigger

    $cat snippet.java
    Parcel p = Parcel.obtain();
WorkSource ws = new WorkSource();
p.writeInt(0x1337);
ws.readFromParcel(p);
ws.writeToParcel(p2, 0);

    Field overlap

    Because the read consumes fewer bytes than the write produces, the next field in the IPC payload is partially attacker-controlled. We use this to overlap a Bundle key parser and reach a deserialization gadget in system_server.

    Mitigation

    March 2023 Android patch level or later.