In onCreate of ReviewPermissionsActivity.java, there is a possible way to grant permissions for a separate app with API level < 23 due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "131548812861006055530464043961854370772", "291323132068501938880325320721381375409", "95384460143037097415898460329511075946", "319698469046129652518560868639908386550", "268589551327048145713816909398404480884", "173233552244338388278893104303091464527", "6566350594781407074702540494698510848" ] }, "id": "ASB-A-176094367-e5b1b65f", "source": "https://android.googlesource.com/platform/packages/apps/PackageInstaller/+/725244f010c9c5ed5b169c2ec00600864fce38ab", "deprecated": false, "signature_version": "v1", "target": { "file": "src/com/android/packageinstaller/permission/ui/ReviewPermissionsActivity.java" }, "signature_type": "Line" }, { "digest": { "length": 600.0, "function_hash": "135428959392356932519044964831642124671" }, "id": "ASB-A-176094367-ee3df61f", "source": "https://android.googlesource.com/platform/packages/apps/PackageInstaller/+/725244f010c9c5ed5b169c2ec00600864fce38ab", "deprecated": false, "signature_version": "v1", "target": { "file": "src/com/android/packageinstaller/permission/ui/ReviewPermissionsActivity.java", "function": "onCreate" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/packages/apps/PackageInstaller/+/725244f010c9c5ed5b169c2ec00600864fce38ab" ], "spl": "2022-12-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "131548812861006055530464043961854370772", "291323132068501938880325320721381375409", "95384460143037097415898460329511075946", "288147811868668259498595617858469938520", "268589551327048145713816909398404480884", "173233552244338388278893104303091464527", "6566350594781407074702540494698510848" ] }, "id": "ASB-A-176094367-37016cae", "source": "https://android.googlesource.com/platform/packages/modules/Permission/+/cb6a249e1af72c89adf0f3f3179226723d8d389f", "deprecated": false, "signature_version": "v1", "target": { "file": "PermissionController/src/com/android/permissioncontroller/permission/ui/ReviewPermissionsActivity.java" }, "signature_type": "Line" }, { "digest": { "length": 600.0, "function_hash": "135428959392356932519044964831642124671" }, "id": "ASB-A-176094367-7d1d1ba3", "source": "https://android.googlesource.com/platform/packages/modules/Permission/+/cb6a249e1af72c89adf0f3f3179226723d8d389f", "deprecated": false, "signature_version": "v1", "target": { "file": "PermissionController/src/com/android/permissioncontroller/permission/ui/ReviewPermissionsActivity.java", "function": "onCreate" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/packages/modules/Permission/+/cb6a249e1af72c89adf0f3f3179226723d8d389f" ], "spl": "2022-12-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 600.0, "function_hash": "135428959392356932519044964831642124671" }, "id": "ASB-A-176094367-074c608b", "source": "https://android.googlesource.com/platform/packages/modules/Permission/+/cb6a249e1af72c89adf0f3f3179226723d8d389f", "deprecated": false, "signature_version": "v1", "target": { "file": "PermissionController/src/com/android/permissioncontroller/permission/ui/ReviewPermissionsActivity.java", "function": "onCreate" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "131548812861006055530464043961854370772", "291323132068501938880325320721381375409", "95384460143037097415898460329511075946", "288147811868668259498595617858469938520", "268589551327048145713816909398404480884", "173233552244338388278893104303091464527", "6566350594781407074702540494698510848" ] }, "id": "ASB-A-176094367-811d0424", "source": "https://android.googlesource.com/platform/packages/modules/Permission/+/cb6a249e1af72c89adf0f3f3179226723d8d389f", "deprecated": false, "signature_version": "v1", "target": { "file": "PermissionController/src/com/android/permissioncontroller/permission/ui/ReviewPermissionsActivity.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/packages/modules/Permission/+/cb6a249e1af72c89adf0f3f3179226723d8d389f" ], "spl": "2022-12-01", "severity": "High", "types": [ "EoP" ] }