In onCreate of KeyChainActivity.java, there is a possible way to use an app certificate stored in keychain due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
{
"fixes": [
"https://android.googlesource.com/platform/packages/apps/KeyChain/+/cdca35442c767d64f6d0db4af438a3856263857a",
"https://android.googlesource.com/platform/packages/apps/KeyChain/+/42d5b5ec58893e5f7f7d3bcc4a1e069aab3481b6"
],
"spl": "2021-12-01",
"types": [
"EoP"
],
"vanir_signatures": [
{
"id": "ASB-A-199754277-01442b80",
"target": {
"function": "onCreate",
"file": "src/com/android/keychain/KeyChainActivity.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/apps/KeyChain/+/cdca35442c767d64f6d0db4af438a3856263857a",
"signature_type": "Function",
"digest": {
"function_hash": "150779138925376225849993218317483860163",
"length": 229.0
},
"deprecated": false
},
{
"digest": {
"line_hashes": [
"303597175863065157596178365770904233588",
"48256645860803694307132140820223977274",
"217809699249745623648040710182897893395",
"125037849551146727792591082922861769984",
"326674869829824742598621061880651146141",
"74405704416687296925880408315642770338",
"153275313607274137358411093416341818351"
],
"threshold": 0.9
},
"target": {
"file": "src/com/android/keychain/KeyChainActivity.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/apps/KeyChain/+/cdca35442c767d64f6d0db4af438a3856263857a",
"signature_type": "Line",
"id": "ASB-A-199754277-2f71314e",
"deprecated": false
},
{
"id": "ASB-A-199754277-38371cc6",
"target": {
"function": "displayCertChooserDialog",
"file": "src/com/android/keychain/KeyChainActivity.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/apps/KeyChain/+/42d5b5ec58893e5f7f7d3bcc4a1e069aab3481b6",
"signature_type": "Function",
"digest": {
"function_hash": "136996276653729503400298582803212933472",
"length": 3204.0
},
"deprecated": false
},
{
"id": "ASB-A-199754277-f933ea8f",
"target": {
"file": "src/com/android/keychain/KeyChainActivity.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/apps/KeyChain/+/42d5b5ec58893e5f7f7d3bcc4a1e069aab3481b6",
"signature_type": "Line",
"digest": {
"line_hashes": [
"135855190934219119756034388740564437399",
"235540904095868242127131780153901629847",
"259238752188879198495785490080792033447",
"142819830997902240228446618298227373261"
],
"threshold": 0.9
},
"deprecated": false
}
],
"severity": "High"
}{
"spl": "2021-12-01",
"vanir_signatures": [
{
"id": "ASB-A-199754277-0f35481e",
"target": {
"file": "src/com/android/keychain/KeyChainActivity.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/apps/KeyChain/+/7771b58966715ef430f5cb6d81344192ab6d258f",
"signature_type": "Line",
"digest": {
"line_hashes": [
"303597175863065157596178365770904233588",
"48256645860803694307132140820223977274",
"217809699249745623648040710182897893395",
"149797091561683545734968523231355275794",
"59096776248267728189978126642021086297",
"223171761866261416097529983750924596398"
],
"threshold": 0.9
},
"deprecated": false
},
{
"id": "ASB-A-199754277-a0ed1fb2",
"target": {
"file": "src/com/android/keychain/KeyChainActivity.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/apps/KeyChain/+/2b7ea9710d2069f9768cc3c2350df74b60f9ecbf",
"signature_type": "Line",
"digest": {
"line_hashes": [
"135855190934219119756034388740564437399",
"235540904095868242127131780153901629847",
"259238752188879198495785490080792033447",
"142819830997902240228446618298227373261"
],
"threshold": 0.9
},
"deprecated": false
},
{
"id": "ASB-A-199754277-c5fb9d5c",
"target": {
"function": "displayCertChooserDialog",
"file": "src/com/android/keychain/KeyChainActivity.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/apps/KeyChain/+/2b7ea9710d2069f9768cc3c2350df74b60f9ecbf",
"signature_type": "Function",
"digest": {
"function_hash": "73505772937041119365331112705127743616",
"length": 2980.0
},
"deprecated": false
}
],
"types": [
"EoP"
],
"fixes": [
"https://android.googlesource.com/platform/packages/apps/KeyChain/+/7771b58966715ef430f5cb6d81344192ab6d258f",
"https://android.googlesource.com/platform/packages/apps/KeyChain/+/2b7ea9710d2069f9768cc3c2350df74b60f9ecbf"
],
"severity": "High"
}{
"fixes": [
"https://android.googlesource.com/platform/packages/apps/KeyChain/+/3de513868e45f022fce83d738032fc69b8c6b0f5",
"https://android.googlesource.com/platform/packages/apps/KeyChain/+/90c6182ef5933ec69383115e2703a177a0c5929b"
],
"spl": "2021-12-01",
"types": [
"EoP"
],
"vanir_signatures": [
{
"id": "ASB-A-199754277-1019e4a8",
"target": {
"function": "displayCertChooserDialog",
"file": "src/com/android/keychain/KeyChainActivity.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/apps/KeyChain/+/90c6182ef5933ec69383115e2703a177a0c5929b",
"signature_type": "Function",
"digest": {
"function_hash": "203824814824031038019991900579206230944",
"length": 3011.0
},
"deprecated": false
},
{
"id": "ASB-A-199754277-1024affc",
"target": {
"file": "src/com/android/keychain/KeyChainActivity.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/apps/KeyChain/+/90c6182ef5933ec69383115e2703a177a0c5929b",
"signature_type": "Line",
"digest": {
"line_hashes": [
"135855190934219119756034388740564437399",
"235540904095868242127131780153901629847",
"259238752188879198495785490080792033447",
"142819830997902240228446618298227373261"
],
"threshold": 0.9
},
"deprecated": false
},
{
"id": "ASB-A-199754277-184c19c6",
"target": {
"file": "src/com/android/keychain/KeyChainActivity.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/apps/KeyChain/+/3de513868e45f022fce83d738032fc69b8c6b0f5",
"signature_type": "Line",
"digest": {
"line_hashes": [
"128691875263131775220820109058442280430",
"168206557357049122735330899459189004701",
"41045489127893675357598209381160343343",
"59364463441045711836603236181276549075",
"273197236036770507062995719670167860476",
"48256645860803694307132140820223977274",
"219824241320010701138802366041289464563",
"24326035824782186584841896781093620413",
"180873309683049572042491718958890115237",
"244121184130991112938393343813406232222"
],
"threshold": 0.9
},
"deprecated": false
}
],
"severity": "High"
}{
"vanir_signatures": [
{
"id": "ASB-A-199754277-231b5806",
"target": {
"file": "src/com/android/keychain/KeyChainActivity.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/apps/KeyChain/+/d2c543f9670ce4c6abc27fdc47d730b0c532d9fb",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"208145163328167472748897027555711714882",
"30674088855709114898709890290627615336",
"254801975279325279560290300634665894950",
"196498049348011577982911759103546494316",
"56162162265642485860413942937486547499",
"100392728771381320547015046049976835169",
"106258610578275625944997385992487392222"
]
},
"deprecated": false
},
{
"id": "ASB-A-199754277-b9e6c704",
"target": {
"function": "displayCertChooserDialog",
"file": "src/com/android/keychain/KeyChainActivity.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/apps/KeyChain/+/0b90da9e52f53d089d34a895256f048729b36661",
"signature_type": "Function",
"digest": {
"function_hash": "118549816647082231951580483889162385421",
"length": 2776.0
},
"deprecated": false
},
{
"id": "ASB-A-199754277-c2ca4d46",
"target": {
"file": "src/com/android/keychain/KeyChainActivity.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/apps/KeyChain/+/0b90da9e52f53d089d34a895256f048729b36661",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"135855190934219119756034388740564437399",
"235540904095868242127131780153901629847",
"259238752188879198495785490080792033447",
"111842385937988146741835959770460073843"
]
},
"deprecated": false
},
{
"id": "ASB-A-199754277-dca04a64",
"target": {
"function": "onCreate",
"file": "src/com/android/keychain/KeyChainActivity.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/packages/apps/KeyChain/+/d2c543f9670ce4c6abc27fdc47d730b0c532d9fb",
"signature_type": "Function",
"digest": {
"function_hash": "71065350424441331116573748980346557509",
"length": 109.0
},
"deprecated": false
}
],
"fixes": [
"https://android.googlesource.com/platform/packages/apps/KeyChain/+/d2c543f9670ce4c6abc27fdc47d730b0c532d9fb",
"https://android.googlesource.com/platform/packages/apps/KeyChain/+/0b90da9e52f53d089d34a895256f048729b36661"
],
"types": [
"EoP"
],
"spl": "2021-12-01",
"severity": "High"
}