In getEnabledAccessibilityServiceList of AccessibilityManager.java, there is a possible way to hide an accessibility service due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"vanir_signatures": [
{
"digest": {
"function_hash": "256567717900539817207598731645102704557",
"length": 569.0
},
"target": {
"function": "getEnabledAccessibilityServiceList",
"file": "services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/2bc4d49c2b0265f5de1c62d1342b1426cc5e1377",
"signature_type": "Function",
"id": "ASB-A-243849844-4b21c9fc",
"deprecated": false
},
{
"id": "ASB-A-243849844-b8e27c37",
"target": {
"file": "services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/2bc4d49c2b0265f5de1c62d1342b1426cc5e1377",
"signature_type": "Line",
"digest": {
"line_hashes": [
"15472168467829777155972695369766909984",
"113313693706057117147096543104199435558",
"105833602642437050762795875353718347326",
"110806656359569617845981554468547802851"
],
"threshold": 0.9
},
"deprecated": false
}
],
"fixes": [
"https://android.googlesource.com/platform/frameworks/base/+/2bc4d49c2b0265f5de1c62d1342b1426cc5e1377"
],
"types": [
"EoP"
],
"spl": "2022-12-01",
"severity": "High"
}{
"vanir_signatures": [
{
"id": "ASB-A-243849844-b144b9f5",
"target": {
"function": "getEnabledAccessibilityServiceList",
"file": "services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/2bc4d49c2b0265f5de1c62d1342b1426cc5e1377",
"signature_type": "Function",
"digest": {
"function_hash": "256567717900539817207598731645102704557",
"length": 569.0
},
"deprecated": false
},
{
"id": "ASB-A-243849844-c66a22b9",
"target": {
"file": "services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/2bc4d49c2b0265f5de1c62d1342b1426cc5e1377",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"15472168467829777155972695369766909984",
"113313693706057117147096543104199435558",
"105833602642437050762795875353718347326",
"110806656359569617845981554468547802851"
]
},
"deprecated": false
}
],
"fixes": [
"https://android.googlesource.com/platform/frameworks/base/+/2bc4d49c2b0265f5de1c62d1342b1426cc5e1377"
],
"types": [
"EoP"
],
"spl": "2022-12-01",
"severity": "High"
}{
"fixes": [
"https://android.googlesource.com/platform/frameworks/base/+/2bc4d49c2b0265f5de1c62d1342b1426cc5e1377"
],
"spl": "2022-12-01",
"types": [
"EoP"
],
"vanir_signatures": [
{
"digest": {
"function_hash": "256567717900539817207598731645102704557",
"length": 569.0
},
"target": {
"function": "getEnabledAccessibilityServiceList",
"file": "services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/2bc4d49c2b0265f5de1c62d1342b1426cc5e1377",
"signature_type": "Function",
"id": "ASB-A-243849844-4c0eb4cf",
"deprecated": false
},
{
"id": "ASB-A-243849844-4f9581db",
"target": {
"file": "services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/2bc4d49c2b0265f5de1c62d1342b1426cc5e1377",
"signature_type": "Line",
"digest": {
"line_hashes": [
"15472168467829777155972695369766909984",
"113313693706057117147096543104199435558",
"105833602642437050762795875353718347326",
"110806656359569617845981554468547802851"
],
"threshold": 0.9
},
"deprecated": false
}
],
"severity": "High"
}{
"spl": "2022-12-01",
"vanir_signatures": [
{
"id": "ASB-A-243849844-170122da",
"target": {
"file": "services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/2bc4d49c2b0265f5de1c62d1342b1426cc5e1377",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"15472168467829777155972695369766909984",
"113313693706057117147096543104199435558",
"105833602642437050762795875353718347326",
"110806656359569617845981554468547802851"
]
},
"deprecated": false
},
{
"id": "ASB-A-243849844-5a23e3b9",
"target": {
"function": "getEnabledAccessibilityServiceList",
"file": "services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/2bc4d49c2b0265f5de1c62d1342b1426cc5e1377",
"signature_type": "Function",
"digest": {
"function_hash": "256567717900539817207598731645102704557",
"length": 569.0
},
"deprecated": false
}
],
"types": [
"EoP"
],
"fixes": [
"https://android.googlesource.com/platform/frameworks/base/+/2bc4d49c2b0265f5de1c62d1342b1426cc5e1377"
],
"severity": "High"
}{
"spl": "2022-12-01",
"vanir_signatures": [
{
"id": "ASB-A-243849844-123210b2",
"target": {
"file": "services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/2bc4d49c2b0265f5de1c62d1342b1426cc5e1377",
"signature_type": "Line",
"digest": {
"line_hashes": [
"15472168467829777155972695369766909984",
"113313693706057117147096543104199435558",
"105833602642437050762795875353718347326",
"110806656359569617845981554468547802851"
],
"threshold": 0.9
},
"deprecated": false
},
{
"id": "ASB-A-243849844-2185f50a",
"target": {
"function": "getEnabledAccessibilityServiceList",
"file": "services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/2bc4d49c2b0265f5de1c62d1342b1426cc5e1377",
"signature_type": "Function",
"digest": {
"function_hash": "256567717900539817207598731645102704557",
"length": 569.0
},
"deprecated": false
}
],
"types": [
"EoP"
],
"fixes": [
"https://android.googlesource.com/platform/frameworks/base/+/2bc4d49c2b0265f5de1c62d1342b1426cc5e1377"
],
"severity": "High"
}