In onResume of AppManagementFragment.java, there is a possible way to prevent users from forgetting a previously connected VPN due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "types": [ "EoP" ], "severity": "High", "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "336100995050413396604471046648600747849", "233882185629320992900811583433312763653", "169475600195102551663482568947621592996", "138976026468197361305544239673336673748", "65722198661626460178036131866155434626", "146502439951923890752064417977749965207", "10489224675326360169937944298108627188", "320286596383278763278850603948381854077", "39382189436603757696375603499394713214", "160958246367428725531599932442622386403", "263165266821543551694449496447563157168", "315783981943385040222749311193035456925", "312571804431002265272936749576775009138", "104444946036314211310406435294382749482", "124353133627749518534529019590134664639", "144387863575053294813869966197099787824", "307470470953315320748151102485094306132", "128565645273646527655933501064344012106", "36865207056263286051620466905085997709", "55667397478318779775218318655419813694", "40285273992944341741454608899694859150", "121400873625339409260913546196572036600" ] }, "id": "ASB-A-205460459-66a87eb0", "source": "https://android.googlesource.com/platform/packages/apps/Settings/+/144f295d7aa66bae8556ba030553a49615eab0b2", "deprecated": false, "signature_version": "v1", "signature_type": "Line", "target": { "file": "src/com/android/settings/vpn2/AppManagementFragment.java" } }, { "digest": { "function_hash": "158236566380373166559928339748576547146", "length": 244.0 }, "id": "ASB-A-205460459-8392d31e", "source": "https://android.googlesource.com/platform/packages/apps/Settings/+/144f295d7aa66bae8556ba030553a49615eab0b2", "deprecated": false, "signature_version": "v1", "signature_type": "Function", "target": { "file": "src/com/android/settings/vpn2/AppManagementFragment.java", "function": "onResume" } }, { "digest": { "function_hash": "251843551499729755438027679969059996354", "length": 641.0 }, "id": "ASB-A-205460459-ce648294", "source": "https://android.googlesource.com/platform/packages/apps/Settings/+/144f295d7aa66bae8556ba030553a49615eab0b2", "deprecated": false, "signature_version": "v1", "signature_type": "Function", "target": { "file": "src/com/android/settings/vpn2/AppManagementFragment.java", "function": "onCreate" } } ], "fixes": [ "https://android.googlesource.com/platform/packages/apps/Settings/+/144f295d7aa66bae8556ba030553a49615eab0b2" ], "spl": "2023-06-01" }
{ "types": [ "EoP" ], "severity": "High", "vanir_signatures": [ { "digest": { "function_hash": "134236406536163048824416588806975961357", "length": 779.0 }, "id": "ASB-A-205460459-525d493f", "source": "https://android.googlesource.com/platform/packages/apps/Settings/+/dddd74a491a206178feb10d5ef983d5cd273504d", "deprecated": false, "signature_version": "v1", "signature_type": "Function", "target": { "file": "src/com/android/settings/vpn2/AppManagementFragment.java", "function": "onCreate" } }, { "digest": { "threshold": 0.9, "line_hashes": [ "336100995050413396604471046648600747849", "233882185629320992900811583433312763653", "169475600195102551663482568947621592996", "138976026468197361305544239673336673748", "65722198661626460178036131866155434626", "146502439951923890752064417977749965207", "10489224675326360169937944298108627188", "320286596383278763278850603948381854077", "39382189436603757696375603499394713214", "160958246367428725531599932442622386403", "263165266821543551694449496447563157168", "315783981943385040222749311193035456925", "130302758141056424715037336227520422018", "263844474475902709715843794546083027205", "269648731598388075701986185670181440561", "144387863575053294813869966197099787824", "307470470953315320748151102485094306132", "128565645273646527655933501064344012106", "36865207056263286051620466905085997709", "55667397478318779775218318655419813694", "40285273992944341741454608899694859150", "121400873625339409260913546196572036600" ] }, "id": "ASB-A-205460459-55624690", "source": "https://android.googlesource.com/platform/packages/apps/Settings/+/dddd74a491a206178feb10d5ef983d5cd273504d", "deprecated": false, "signature_version": "v1", "signature_type": "Line", "target": { "file": "src/com/android/settings/vpn2/AppManagementFragment.java" } }, { "digest": { "function_hash": "158236566380373166559928339748576547146", "length": 244.0 }, "id": "ASB-A-205460459-af18bd9a", "source": "https://android.googlesource.com/platform/packages/apps/Settings/+/dddd74a491a206178feb10d5ef983d5cd273504d", "deprecated": false, "signature_version": "v1", "signature_type": "Function", "target": { "file": "src/com/android/settings/vpn2/AppManagementFragment.java", "function": "onResume" } } ], "fixes": [ "https://android.googlesource.com/platform/packages/apps/Settings/+/dddd74a491a206178feb10d5ef983d5cd273504d", "https://android.googlesource.com/platform/packages/apps/Settings/+/ac6b0bdef68e99e0a34656a2148483d7cb77159e" ], "spl": "2023-06-01" }
{ "types": [ "EoP" ], "severity": "High", "vanir_signatures": [ { "digest": { "function_hash": "251843551499729755438027679969059996354", "length": 641.0 }, "id": "ASB-A-205460459-0d062f4d", "source": "https://android.googlesource.com/platform/packages/apps/Settings/+/5935cae639adca89d6fa0a682669963ddeb1caa2", "deprecated": false, "signature_version": "v1", "signature_type": "Function", "target": { "file": "src/com/android/settings/vpn2/AppManagementFragment.java", "function": "onCreate" } }, { "digest": { "function_hash": "158236566380373166559928339748576547146", "length": 244.0 }, "id": "ASB-A-205460459-1884e8af", "source": "https://android.googlesource.com/platform/packages/apps/Settings/+/5935cae639adca89d6fa0a682669963ddeb1caa2", "deprecated": false, "signature_version": "v1", "signature_type": "Function", "target": { "file": "src/com/android/settings/vpn2/AppManagementFragment.java", "function": "onResume" } }, { "digest": { "threshold": 0.9, "line_hashes": [ "336100995050413396604471046648600747849", "233882185629320992900811583433312763653", "169475600195102551663482568947621592996", "138976026468197361305544239673336673748", "65722198661626460178036131866155434626", "146502439951923890752064417977749965207", "10489224675326360169937944298108627188", "320286596383278763278850603948381854077", "39382189436603757696375603499394713214", "160958246367428725531599932442622386403", "263165266821543551694449496447563157168", "315783981943385040222749311193035456925", "312571804431002265272936749576775009138", "104444946036314211310406435294382749482", "124353133627749518534529019590134664639", "144387863575053294813869966197099787824", "307470470953315320748151102485094306132", "128565645273646527655933501064344012106", "36865207056263286051620466905085997709", "55667397478318779775218318655419813694", "40285273992944341741454608899694859150", "121400873625339409260913546196572036600" ] }, "id": "ASB-A-205460459-57dd84d8", "source": "https://android.googlesource.com/platform/packages/apps/Settings/+/5935cae639adca89d6fa0a682669963ddeb1caa2", "deprecated": false, "signature_version": "v1", "signature_type": "Line", "target": { "file": "src/com/android/settings/vpn2/AppManagementFragment.java" } } ], "fixes": [ "https://android.googlesource.com/platform/packages/apps/Settings/+/5935cae639adca89d6fa0a682669963ddeb1caa2", "https://android.googlesource.com/platform/packages/apps/Settings/+/aedbfeb8b85eff1f28fcaaf71d0826f76f7afab7" ], "spl": "2023-06-01" }