In multiple functions of AccountManagerService.java, there is a possible loading of arbitrary code into the System Settings app due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"spl": "2023-04-01",
"vanir_signatures": [
{
"id": "ASB-A-260567867-0f0395d8",
"target": {
"function": "onResult",
"file": "services/core/java/com/android/server/accounts/AccountManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/e7c9cedab64313054a5f1d6e249a3d7118f0fe6d",
"signature_type": "Function",
"digest": {
"function_hash": "24063364796261288084818385041544745461",
"length": 2630.0
},
"deprecated": false
},
{
"id": "ASB-A-260567867-5018acee",
"target": {
"file": "services/core/java/com/android/server/accounts/AccountManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/e7c9cedab64313054a5f1d6e249a3d7118f0fe6d",
"signature_type": "Line",
"digest": {
"line_hashes": [
"102621481333874520227160300226568916637",
"87791047021780292960520905960333961581",
"227810543805131443330981162682500543823",
"249209199335521875619203833124111623883",
"333632741528280604425310716873061856856",
"296970883249405432748384307226135802410",
"322653182359092500475659955130112784308",
"70126697754156643117209328007530417998",
"339481037997816317821671594887686512293",
"221003920048527419293013806736736766485",
"97919473584709779965486999353676586848",
"234298834527873990978626021844002463501",
"300167801387346797691020387596466947641",
"60697875491319249160746600633389088059",
"101255738353673951573916089828613134146",
"117460194778136373718489259647932296637",
"221339240173144341381788826707641692497",
"249209199335521875619203833124111623883",
"333632741528280604425310716873061856856"
],
"threshold": 0.9
},
"deprecated": false
},
{
"id": "ASB-A-260567867-699f2b76",
"target": {
"function": "checkKeyIntent",
"file": "services/core/java/com/android/server/accounts/AccountManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/e7c9cedab64313054a5f1d6e249a3d7118f0fe6d",
"signature_type": "Function",
"digest": {
"function_hash": "134451419846464950394386447436239146278",
"length": 1320.0
},
"deprecated": false
},
{
"id": "ASB-A-260567867-732e1150",
"target": {
"function": "checkKeyIntentParceledCorrectly",
"file": "services/core/java/com/android/server/accounts/AccountManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/e7c9cedab64313054a5f1d6e249a3d7118f0fe6d",
"signature_type": "Function",
"digest": {
"function_hash": "100361811884416474232114843533415316660",
"length": 347.0
},
"deprecated": false
},
{
"id": "ASB-A-260567867-8d45e500",
"target": {
"function": "onResult",
"file": "services/core/java/com/android/server/accounts/AccountManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/e7c9cedab64313054a5f1d6e249a3d7118f0fe6d",
"signature_type": "Function",
"digest": {
"function_hash": "274929591755527814202843495797426672204",
"length": 2228.0
},
"deprecated": false
}
],
"types": [
"EoP"
],
"fixes": [
"https://android.googlesource.com/platform/frameworks/base/+/e7c9cedab64313054a5f1d6e249a3d7118f0fe6d"
],
"severity": "High"
}{
"fixes": [
"https://android.googlesource.com/platform/frameworks/base/+/9f623983a8d4ec48d58b0eda56fa461fc6748981"
],
"spl": "2023-04-01",
"types": [
"EoP"
],
"vanir_signatures": [
{
"id": "ASB-A-260567867-44161b57",
"target": {
"function": "onResult",
"file": "services/core/java/com/android/server/accounts/AccountManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/9f623983a8d4ec48d58b0eda56fa461fc6748981",
"signature_type": "Function",
"digest": {
"function_hash": "41023448064838139733511489886308780141",
"length": 2614.0
},
"deprecated": false
},
{
"id": "ASB-A-260567867-6d37caa9",
"target": {
"function": "checkKeyIntent",
"file": "services/core/java/com/android/server/accounts/AccountManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/9f623983a8d4ec48d58b0eda56fa461fc6748981",
"signature_type": "Function",
"digest": {
"function_hash": "52865478785358617343039264453162914792",
"length": 1331.0
},
"deprecated": false
},
{
"id": "ASB-A-260567867-8462678d",
"target": {
"function": "checkKeyIntentParceledCorrectly",
"file": "services/core/java/com/android/server/accounts/AccountManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/9f623983a8d4ec48d58b0eda56fa461fc6748981",
"signature_type": "Function",
"digest": {
"function_hash": "94708205251876746338000343560764915402",
"length": 333.0
},
"deprecated": false
},
{
"id": "ASB-A-260567867-85083a16",
"target": {
"file": "services/core/java/com/android/server/accounts/AccountManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/9f623983a8d4ec48d58b0eda56fa461fc6748981",
"signature_type": "Line",
"digest": {
"line_hashes": [
"102621481333874520227160300226568916637",
"17410907499065417407586688844885386759",
"137971137004370039771630188077221928616",
"171654467451521752340925975754762571437",
"200743198349192667103830392242710855312",
"243628083512321978905245199028732910147",
"143497601475118715788948267903722960923",
"34403552962753278911522365955453991311",
"212527219679643165604639129087184543552",
"278096025294005194601942749711161288359",
"210066205031285334355977896094228933501",
"254649137641918737601387565419334774469",
"60013202798819483283863555381222552713",
"101255738353673951573916089828613134146",
"50186522400419522845497711063170164678",
"267026741779168971949661977336207845381",
"171654467451521752340925975754762571437",
"200743198349192667103830392242710855312"
],
"threshold": 0.9
},
"deprecated": false
},
{
"id": "ASB-A-260567867-a7b9bb0b",
"target": {
"function": "onResult",
"file": "services/core/java/com/android/server/accounts/AccountManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/9f623983a8d4ec48d58b0eda56fa461fc6748981",
"signature_type": "Function",
"digest": {
"function_hash": "267799739317786220573746323388235990046",
"length": 2212.0
},
"deprecated": false
}
],
"severity": "High"
}{
"vanir_signatures": [
{
"digest": {
"function_hash": "52865478785358617343039264453162914792",
"length": 1331.0
},
"target": {
"function": "checkKeyIntent",
"file": "services/core/java/com/android/server/accounts/AccountManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/9f623983a8d4ec48d58b0eda56fa461fc6748981",
"signature_type": "Function",
"id": "ASB-A-260567867-27a42bd3",
"deprecated": false
},
{
"id": "ASB-A-260567867-40603fb1",
"target": {
"file": "services/core/java/com/android/server/accounts/AccountManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/9f623983a8d4ec48d58b0eda56fa461fc6748981",
"signature_type": "Line",
"digest": {
"line_hashes": [
"102621481333874520227160300226568916637",
"17410907499065417407586688844885386759",
"137971137004370039771630188077221928616",
"171654467451521752340925975754762571437",
"200743198349192667103830392242710855312",
"243628083512321978905245199028732910147",
"143497601475118715788948267903722960923",
"34403552962753278911522365955453991311",
"212527219679643165604639129087184543552",
"278096025294005194601942749711161288359",
"210066205031285334355977896094228933501",
"254649137641918737601387565419334774469",
"60013202798819483283863555381222552713",
"101255738353673951573916089828613134146",
"50186522400419522845497711063170164678",
"267026741779168971949661977336207845381",
"171654467451521752340925975754762571437",
"200743198349192667103830392242710855312"
],
"threshold": 0.9
},
"deprecated": false
},
{
"digest": {
"function_hash": "94708205251876746338000343560764915402",
"length": 333.0
},
"target": {
"function": "checkKeyIntentParceledCorrectly",
"file": "services/core/java/com/android/server/accounts/AccountManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/9f623983a8d4ec48d58b0eda56fa461fc6748981",
"signature_type": "Function",
"id": "ASB-A-260567867-450f3afb",
"deprecated": false
},
{
"digest": {
"function_hash": "41023448064838139733511489886308780141",
"length": 2614.0
},
"target": {
"function": "onResult",
"file": "services/core/java/com/android/server/accounts/AccountManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/9f623983a8d4ec48d58b0eda56fa461fc6748981",
"signature_type": "Function",
"id": "ASB-A-260567867-53e9a05e",
"deprecated": false
},
{
"id": "ASB-A-260567867-c75e5dd8",
"target": {
"function": "onResult",
"file": "services/core/java/com/android/server/accounts/AccountManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/9f623983a8d4ec48d58b0eda56fa461fc6748981",
"signature_type": "Function",
"digest": {
"function_hash": "267799739317786220573746323388235990046",
"length": 2212.0
},
"deprecated": false
}
],
"fixes": [
"https://android.googlesource.com/platform/frameworks/base/+/9f623983a8d4ec48d58b0eda56fa461fc6748981"
],
"types": [
"EoP"
],
"spl": "2023-04-01",
"severity": "High"
}{
"fixes": [
"https://android.googlesource.com/platform/frameworks/base/+/9f623983a8d4ec48d58b0eda56fa461fc6748981"
],
"spl": "2023-04-01",
"types": [
"EoP"
],
"vanir_signatures": [
{
"id": "ASB-A-260567867-147a6479",
"target": {
"function": "onResult",
"file": "services/core/java/com/android/server/accounts/AccountManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/9f623983a8d4ec48d58b0eda56fa461fc6748981",
"signature_type": "Function",
"digest": {
"function_hash": "267799739317786220573746323388235990046",
"length": 2212.0
},
"deprecated": false
},
{
"id": "ASB-A-260567867-6cbd2519",
"target": {
"function": "checkKeyIntent",
"file": "services/core/java/com/android/server/accounts/AccountManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/9f623983a8d4ec48d58b0eda56fa461fc6748981",
"signature_type": "Function",
"digest": {
"function_hash": "52865478785358617343039264453162914792",
"length": 1331.0
},
"deprecated": false
},
{
"id": "ASB-A-260567867-814bca32",
"target": {
"function": "checkKeyIntentParceledCorrectly",
"file": "services/core/java/com/android/server/accounts/AccountManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/9f623983a8d4ec48d58b0eda56fa461fc6748981",
"signature_type": "Function",
"digest": {
"function_hash": "94708205251876746338000343560764915402",
"length": 333.0
},
"deprecated": false
},
{
"id": "ASB-A-260567867-b420f77c",
"target": {
"file": "services/core/java/com/android/server/accounts/AccountManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/9f623983a8d4ec48d58b0eda56fa461fc6748981",
"signature_type": "Line",
"digest": {
"line_hashes": [
"102621481333874520227160300226568916637",
"17410907499065417407586688844885386759",
"137971137004370039771630188077221928616",
"171654467451521752340925975754762571437",
"200743198349192667103830392242710855312",
"243628083512321978905245199028732910147",
"143497601475118715788948267903722960923",
"34403552962753278911522365955453991311",
"212527219679643165604639129087184543552",
"278096025294005194601942749711161288359",
"210066205031285334355977896094228933501",
"254649137641918737601387565419334774469",
"60013202798819483283863555381222552713",
"101255738353673951573916089828613134146",
"50186522400419522845497711063170164678",
"267026741779168971949661977336207845381",
"171654467451521752340925975754762571437",
"200743198349192667103830392242710855312"
],
"threshold": 0.9
},
"deprecated": false
},
{
"id": "ASB-A-260567867-b9f8b81f",
"target": {
"function": "onResult",
"file": "services/core/java/com/android/server/accounts/AccountManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/9f623983a8d4ec48d58b0eda56fa461fc6748981",
"signature_type": "Function",
"digest": {
"function_hash": "41023448064838139733511489886308780141",
"length": 2614.0
},
"deprecated": false
}
],
"severity": "High"
}{
"fixes": [
"https://android.googlesource.com/platform/frameworks/base/+/3723f400e2f7f6b72be5d76ae6058e2be579b002"
],
"spl": "2023-04-01",
"types": [
"EoP"
],
"vanir_signatures": [
{
"id": "ASB-A-260567867-517e3a33",
"target": {
"function": "getAuthToken",
"file": "services/core/java/com/android/server/accounts/AccountManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/3723f400e2f7f6b72be5d76ae6058e2be579b002",
"signature_type": "Function",
"digest": {
"function_hash": "187948086070591231297392488894148739647",
"length": 5624.0
},
"deprecated": false
},
{
"id": "ASB-A-260567867-8ba17ec0",
"target": {
"function": "onResult",
"file": "services/core/java/com/android/server/accounts/AccountManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/3723f400e2f7f6b72be5d76ae6058e2be579b002",
"signature_type": "Function",
"digest": {
"function_hash": "267799739317786220573746323388235990046",
"length": 2212.0
},
"deprecated": false
},
{
"target": {
"function": "onResult",
"file": "services/core/java/com/android/server/accounts/AccountManagerService.java"
},
"match_only_versions": [
"13"
],
"source": "https://android.googlesource.com/platform/frameworks/base/+/3723f400e2f7f6b72be5d76ae6058e2be579b002",
"digest": {
"function_hash": "261227585194831626479415770564533148761",
"length": 1606.0
},
"signature_version": "v1",
"signature_type": "Function",
"id": "ASB-A-260567867-b857cd09",
"deprecated": false
},
{
"id": "ASB-A-260567867-b906f6fc",
"target": {
"function": "onResult",
"file": "services/core/java/com/android/server/accounts/AccountManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/3723f400e2f7f6b72be5d76ae6058e2be579b002",
"signature_type": "Function",
"digest": {
"function_hash": "41023448064838139733511489886308780141",
"length": 2614.0
},
"deprecated": false
},
{
"id": "ASB-A-260567867-ca1cbc91",
"target": {
"function": "checkKeyIntent",
"file": "services/core/java/com/android/server/accounts/AccountManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/3723f400e2f7f6b72be5d76ae6058e2be579b002",
"signature_type": "Function",
"digest": {
"function_hash": "134451419846464950394386447436239146278",
"length": 1320.0
},
"deprecated": false
},
{
"id": "ASB-A-260567867-eb9ea585",
"target": {
"function": "checkKeyIntentParceledCorrectly",
"file": "services/core/java/com/android/server/accounts/AccountManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/3723f400e2f7f6b72be5d76ae6058e2be579b002",
"signature_type": "Function",
"digest": {
"function_hash": "100361811884416474232114843533415316660",
"length": 347.0
},
"deprecated": false
},
{
"id": "ASB-A-260567867-f6e0a46f",
"target": {
"file": "services/core/java/com/android/server/accounts/AccountManagerService.java"
},
"signature_version": "v1",
"source": "https://android.googlesource.com/platform/frameworks/base/+/3723f400e2f7f6b72be5d76ae6058e2be579b002",
"signature_type": "Line",
"digest": {
"line_hashes": [
"3345597861118770780059298766421267087",
"242732919793228362579209848120206281270",
"191848758192162543277547550033520109670",
"141394416191930872290709805739668594678",
"102621481333874520227160300226568916637",
"17410907499065417407586688844885386759",
"137971137004370039771630188077221928616",
"171654467451521752340925975754762571437",
"200743198349192667103830392242710855312",
"296970883249405432748384307226135802410",
"322653182359092500475659955130112784308",
"70126697754156643117209328007530417998",
"339481037997816317821671594887686512293",
"221003920048527419293013806736736766485",
"97919473584709779965486999353676586848",
"234298834527873990978626021844002463501",
"300167801387346797691020387596466947641",
"60697875491319249160746600633389088059",
"101255738353673951573916089828613134146",
"50186522400419522845497711063170164678",
"267026741779168971949661977336207845381",
"171654467451521752340925975754762571437",
"200743198349192667103830392242710855312"
],
"threshold": 0.9
},
"deprecated": false
}
],
"severity": "High"
}