ASB-A-200688991

See a problem?
Import Source
https://storage.googleapis.com/android-osv/ASB-A-200688991.json
JSON Data
https://api.osv.dev/v1/vulns/ASB-A-200688991
Aliases
  • A-200688991
  • CVE-2021-39707
Published
2022-03-01T00:00:00Z
Modified
2024-08-07T19:29:08.992932Z
Summary
EoP: Bypass CALL_PRIVILEGED permission in Settings AppRestrictionsFragment
Details

In onReceive of AppRestrictionsFragment.java, there is a possible way to start a phone call without permissions due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / platform/packages/apps/Settings

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10:0
Fixed
10:2022-03-01

Affected versions

Other

10

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "25773313590578301909770280378145394169",
                    "998002664358991226549625720005163034",
                    "184557601896126998774372606455908481492",
                    "8725612031362875280293404008541639922",
                    "263652157868942015372852595692019924264",
                    "266345770853377246326559123612364591999",
                    "92886632093687862575761156928663257027",
                    "5125628849487778448830293822799454652",
                    "229984845727493768315449970480846857775",
                    "120783485870668307593467657794719425133",
                    "248990728719954200371713960077160859241",
                    "192497369389172935363379212909343471421",
                    "267786699608572883225187067660587640153",
                    "111871638115009029157642403469356194843",
                    "235513615326855201199349692386757969529",
                    "82542431251053983535395211463109219730",
                    "150311428605553795670256246034595443020",
                    "104148611440174321452056313171669862655",
                    "25375867160530765286428555796606026667",
                    "339978714582775340128437482086169236936"
                ]
            },
            "id": "ASB-A-200688991-1637f245",
            "source": "https://android.googlesource.com/platform/packages/apps/Settings/+/f57d75f127fe96e91250585208a339763f1a2253",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "src/com/android/settings/users/AppRestrictionsFragment.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 688.0,
                "function_hash": "248855116433774637405381666376387624271"
            },
            "id": "ASB-A-200688991-290f1e4b",
            "source": "https://android.googlesource.com/platform/packages/apps/Settings/+/f57d75f127fe96e91250585208a339763f1a2253",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "src/com/android/settings/users/AppRestrictionsFragment.java",
                "function": "onReceive"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 466.0,
                "function_hash": "126382469407775841340500000808370560677"
            },
            "id": "ASB-A-200688991-e3a088d4",
            "source": "https://android.googlesource.com/platform/packages/apps/Settings/+/f57d75f127fe96e91250585208a339763f1a2253",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "src/com/android/settings/users/AppRestrictionsFragment.java",
                "function": "assertSafeToStartCustomActivity"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/packages/apps/Settings/+/f57d75f127fe96e91250585208a339763f1a2253"
    ],
    "spl": "2022-03-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/packages/apps/Settings

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11:0
Fixed
11:2022-03-01

Affected versions

Other

11

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "25773313590578301909770280378145394169",
                    "998002664358991226549625720005163034",
                    "184557601896126998774372606455908481492",
                    "8725612031362875280293404008541639922",
                    "263652157868942015372852595692019924264",
                    "266345770853377246326559123612364591999",
                    "92886632093687862575761156928663257027",
                    "5125628849487778448830293822799454652",
                    "229984845727493768315449970480846857775",
                    "120783485870668307593467657794719425133",
                    "248990728719954200371713960077160859241",
                    "192497369389172935363379212909343471421",
                    "267786699608572883225187067660587640153",
                    "111871638115009029157642403469356194843",
                    "235513615326855201199349692386757969529",
                    "82542431251053983535395211463109219730",
                    "150311428605553795670256246034595443020",
                    "104148611440174321452056313171669862655",
                    "25375867160530765286428555796606026667",
                    "339978714582775340128437482086169236936"
                ]
            },
            "id": "ASB-A-200688991-a463f1a8",
            "source": "https://android.googlesource.com/platform/packages/apps/Settings/+/dc44d01a16461027ace52eb30faa9281e102ed3a",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "src/com/android/settings/users/AppRestrictionsFragment.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 466.0,
                "function_hash": "126382469407775841340500000808370560677"
            },
            "id": "ASB-A-200688991-e140e50e",
            "source": "https://android.googlesource.com/platform/packages/apps/Settings/+/dc44d01a16461027ace52eb30faa9281e102ed3a",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "src/com/android/settings/users/AppRestrictionsFragment.java",
                "function": "assertSafeToStartCustomActivity"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 688.0,
                "function_hash": "248855116433774637405381666376387624271"
            },
            "id": "ASB-A-200688991-e8d569fe",
            "source": "https://android.googlesource.com/platform/packages/apps/Settings/+/dc44d01a16461027ace52eb30faa9281e102ed3a",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "src/com/android/settings/users/AppRestrictionsFragment.java",
                "function": "onReceive"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/packages/apps/Settings/+/dc44d01a16461027ace52eb30faa9281e102ed3a"
    ],
    "spl": "2022-03-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/packages/apps/Settings

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12:0
Fixed
12:2022-03-01

Affected versions

Other

12

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "25773313590578301909770280378145394169",
                    "998002664358991226549625720005163034",
                    "184557601896126998774372606455908481492",
                    "8725612031362875280293404008541639922",
                    "263652157868942015372852595692019924264",
                    "266345770853377246326559123612364591999",
                    "92886632093687862575761156928663257027",
                    "5125628849487778448830293822799454652",
                    "229984845727493768315449970480846857775",
                    "120783485870668307593467657794719425133",
                    "248990728719954200371713960077160859241",
                    "192497369389172935363379212909343471421",
                    "267786699608572883225187067660587640153",
                    "111871638115009029157642403469356194843",
                    "235513615326855201199349692386757969529",
                    "82542431251053983535395211463109219730",
                    "150311428605553795670256246034595443020",
                    "104148611440174321452056313171669862655",
                    "25375867160530765286428555796606026667",
                    "339978714582775340128437482086169236936"
                ]
            },
            "id": "ASB-A-200688991-39f69d17",
            "source": "https://android.googlesource.com/platform/packages/apps/Settings/+/99261879727c972c2fdcc44ee1ed47d4de52b7bf",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "src/com/android/settings/users/AppRestrictionsFragment.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 688.0,
                "function_hash": "248855116433774637405381666376387624271"
            },
            "id": "ASB-A-200688991-56be47e1",
            "source": "https://android.googlesource.com/platform/packages/apps/Settings/+/99261879727c972c2fdcc44ee1ed47d4de52b7bf",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "src/com/android/settings/users/AppRestrictionsFragment.java",
                "function": "onReceive"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 466.0,
                "function_hash": "126382469407775841340500000808370560677"
            },
            "id": "ASB-A-200688991-67410139",
            "source": "https://android.googlesource.com/platform/packages/apps/Settings/+/99261879727c972c2fdcc44ee1ed47d4de52b7bf",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "src/com/android/settings/users/AppRestrictionsFragment.java",
                "function": "assertSafeToStartCustomActivity"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/packages/apps/Settings/+/99261879727c972c2fdcc44ee1ed47d4de52b7bf"
    ],
    "spl": "2022-03-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/packages/apps/Settings

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12L:0
Fixed
12L:2022-03-01

Affected versions

Other

12L

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "25773313590578301909770280378145394169",
                    "998002664358991226549625720005163034",
                    "184557601896126998774372606455908481492",
                    "8725612031362875280293404008541639922",
                    "263652157868942015372852595692019924264",
                    "266345770853377246326559123612364591999",
                    "92886632093687862575761156928663257027",
                    "5125628849487778448830293822799454652",
                    "229984845727493768315449970480846857775",
                    "120783485870668307593467657794719425133",
                    "248990728719954200371713960077160859241",
                    "192497369389172935363379212909343471421",
                    "267786699608572883225187067660587640153",
                    "111871638115009029157642403469356194843",
                    "235513615326855201199349692386757969529",
                    "82542431251053983535395211463109219730",
                    "150311428605553795670256246034595443020",
                    "104148611440174321452056313171669862655",
                    "25375867160530765286428555796606026667",
                    "339978714582775340128437482086169236936"
                ]
            },
            "id": "ASB-A-200688991-03bc1b2e",
            "source": "https://android.googlesource.com/platform/packages/apps/Settings/+/4fb753d22e6a2505b1667950d153bc03ad8ae422",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "src/com/android/settings/users/AppRestrictionsFragment.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 688.0,
                "function_hash": "248855116433774637405381666376387624271"
            },
            "id": "ASB-A-200688991-e41ae46b",
            "source": "https://android.googlesource.com/platform/packages/apps/Settings/+/4fb753d22e6a2505b1667950d153bc03ad8ae422",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "src/com/android/settings/users/AppRestrictionsFragment.java",
                "function": "onReceive"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 466.0,
                "function_hash": "126382469407775841340500000808370560677"
            },
            "id": "ASB-A-200688991-ef6e77bd",
            "source": "https://android.googlesource.com/platform/packages/apps/Settings/+/4fb753d22e6a2505b1667950d153bc03ad8ae422",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "src/com/android/settings/users/AppRestrictionsFragment.java",
                "function": "assertSafeToStartCustomActivity"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/packages/apps/Settings/+/4fb753d22e6a2505b1667950d153bc03ad8ae422"
    ],
    "spl": "2022-03-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}