In setScanMode of AdapterService.java, there is a possible way to enable Bluetooth discovery mode without user interaction due to a missing permission check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 297.0, "function_hash": "306408796174320226647143357411811607888" }, "id": "ASB-A-203431023-0564ff75", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/e208fcf394b9591a41250de8ee8bdad3bd9af558", "deprecated": false, "signature_version": "v1", "target": { "file": "android/app/src/com/android/bluetooth/btservice/AdapterService.java", "function": "setDiscoverableTimeout" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "184196211465596637036676436981022160986", "310663038790803474228144224051457634065", "235200042516890789000893520623616856433", "74056111292228662419642069507111208323", "280865106268737356318352464790165724163", "31751067178526632610812621753358219135", "121380037984780544106085503251813162023", "115406219874387320131559651200307225012", "202006277810136237772203677493381325889", "184997035097119368774453889288419654155", "228403452926252819945841653792026404095", "79357729360616193902807655643700292302", "53073610528342643939637634752102331140", "233298843227634921828128355666204684003", "129041647635244075524337653918275144826", "201497200635376658514585156517811832238", "299108017017304219847357040897943149945", "26336067661531312286298575742099149644", "216431135408102165191893687207576056864", "176281420003676838415340115292266963530", "219325013445161890951510386503674400884", "231031870505611136751596413830225061327", "73397768373368757536479802789304542650", "86297380719523360092289164958136849650", "96504084766857505299204479415726309676", "160057590753693384341480522250881637743", "1133394177015753540700299389162097589", "252693157415961571234960786732231294635", "325256900392167122739568556677971918605", "59383564349327758604786432256412400049", "97788076907198308619448996106236548653", "259482035435254778313450921017276894325" ] }, "id": "ASB-A-203431023-0f43b4af", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/e208fcf394b9591a41250de8ee8bdad3bd9af558", "deprecated": false, "signature_version": "v1", "target": { "file": "android/app/src/com/android/bluetooth/btservice/AdapterService.java" }, "signature_type": "Line" }, { "digest": { "length": 273.0, "function_hash": "337355188220726876884449145526534949697" }, "id": "ASB-A-203431023-57193b34", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/e208fcf394b9591a41250de8ee8bdad3bd9af558", "deprecated": false, "signature_version": "v1", "target": { "file": "android/app/src/com/android/bluetooth/btservice/AdapterService.java", "function": "getDiscoverableTimeout" }, "signature_type": "Function" }, { "digest": { "length": 350.0, "function_hash": "224398954382340583561811694483425651957" }, "id": "ASB-A-203431023-da1724b4", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/e208fcf394b9591a41250de8ee8bdad3bd9af558", "deprecated": false, "signature_version": "v1", "target": { "file": "android/app/src/com/android/bluetooth/btservice/AdapterService.java", "function": "setScanMode" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/e208fcf394b9591a41250de8ee8bdad3bd9af558" ], "spl": "2022-06-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "236829967481794875659806067643400471350", "221889625477845835155469983470567822437", "318959092762556263064621329974291824841", "108872696766585779850438660990602331717" ] }, "id": "ASB-A-203431023-7888c779", "source": "https://android.googlesource.com/platform/packages/apps/Bluetooth/+/95cbb22647ef5e4505f64d97b7dcbfad2a9fb0e0", "deprecated": false, "signature_version": "v1", "target": { "file": "src/com/android/bluetooth/btservice/AdapterService.java" }, "signature_type": "Line" }, { "digest": { "length": 209.0, "function_hash": "339203127178591143702063251470082974776" }, "id": "ASB-A-203431023-a11e83cd", "source": "https://android.googlesource.com/platform/packages/apps/Bluetooth/+/95cbb22647ef5e4505f64d97b7dcbfad2a9fb0e0", "deprecated": false, "signature_version": "v1", "target": { "file": "src/com/android/bluetooth/btservice/AdapterService.java", "function": "setScanMode" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/packages/apps/Bluetooth/+/95cbb22647ef5e4505f64d97b7dcbfad2a9fb0e0" ], "spl": "2022-06-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "284189501339935948702336696034543302981", "20429472355090212643904629645984168325", "92254625992077032004077375276068304370", "310656572878670007030099036643950233342" ] }, "id": "ASB-A-203431023-a5b6da18", "source": "https://android.googlesource.com/platform/packages/apps/Bluetooth/+/649612a49791564b43e6f5d41cb4a5ae07d94394", "deprecated": false, "signature_version": "v1", "target": { "file": "src/com/android/bluetooth/btservice/AdapterService.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/packages/apps/Bluetooth/+/649612a49791564b43e6f5d41cb4a5ae07d94394" ], "spl": "2022-06-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "match_only_versions": [ "12" ], "digest": { "threshold": 0.9, "line_hashes": [ "115406219874387320131559651200307225012", "202006277810136237772203677493381325889", "184997035097119368774453889288419654155" ] }, "id": "ASB-A-203431023-9bd93427", "source": "https://android.googlesource.com/platform/packages/apps/Bluetooth/+/e49e5dc377dd39c523c287b71c0831159e2cc6ae", "deprecated": false, "signature_version": "v1", "target": { "file": "src/com/android/bluetooth/btservice/AdapterService.java" }, "signature_type": "Line" }, { "match_only_versions": [ "12" ], "digest": { "length": 350.0, "function_hash": "224398954382340583561811694483425651957" }, "id": "ASB-A-203431023-aa617f78", "source": "https://android.googlesource.com/platform/packages/apps/Bluetooth/+/e49e5dc377dd39c523c287b71c0831159e2cc6ae", "deprecated": false, "signature_version": "v1", "target": { "file": "src/com/android/bluetooth/btservice/AdapterService.java", "function": "setScanMode" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/packages/apps/Bluetooth/+/e49e5dc377dd39c523c287b71c0831159e2cc6ae" ], "spl": "2022-06-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "match_only_versions": [ "12L" ], "digest": { "threshold": 0.9, "line_hashes": [ "115406219874387320131559651200307225012", "202006277810136237772203677493381325889", "184997035097119368774453889288419654155" ] }, "id": "ASB-A-203431023-829ae564", "source": "https://android.googlesource.com/platform/packages/apps/Bluetooth/+/e49e5dc377dd39c523c287b71c0831159e2cc6ae", "deprecated": false, "signature_version": "v1", "target": { "file": "src/com/android/bluetooth/btservice/AdapterService.java" }, "signature_type": "Line" }, { "match_only_versions": [ "12L" ], "digest": { "length": 350.0, "function_hash": "224398954382340583561811694483425651957" }, "id": "ASB-A-203431023-ff5778ad", "source": "https://android.googlesource.com/platform/packages/apps/Bluetooth/+/e49e5dc377dd39c523c287b71c0831159e2cc6ae", "deprecated": false, "signature_version": "v1", "target": { "file": "src/com/android/bluetooth/btservice/AdapterService.java", "function": "setScanMode" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/packages/apps/Bluetooth/+/e49e5dc377dd39c523c287b71c0831159e2cc6ae" ], "spl": "2022-06-01", "severity": "High", "types": [ "EoP" ] }