In broadcastPortInfo of AdbService.java, there is a possible way for apps to run code as the shell user, if wireless debugging is enabled, due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "214460865753076858139981363307170759420", "57712084791171742259055495213241112872", "281788408117531611386521697779926993933", "71354227178570218253232203822130507410", "34143581265084156714169852221507932008", "206682769734304699586288905710274821956", "263455920462214863689287947825132999179" ] }, "id": "ASB-A-205836329-3a07ed4c", "source": "https://android.googlesource.com/platform/frameworks/base/+/398b752a440f7d60198f9267334445aba4f9d4eb", "deprecated": false, "signature_version": "v1", "target": { "file": "core/java/android/debug/AdbManager.java" }, "signature_type": "Line" }, { "digest": { "length": 450.0, "function_hash": "1809661410811964563646412563238828875" }, "id": "ASB-A-205836329-4404b3ed", "source": "https://android.googlesource.com/platform/frameworks/base/+/398b752a440f7d60198f9267334445aba4f9d4eb", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/adb/AdbService.java", "function": "broadcastPortInfo" }, "signature_type": "Function" }, { "digest": { "length": 867.0, "function_hash": "330933175472168456026758694636519539114" }, "id": "ASB-A-205836329-5a141d88", "source": "https://android.googlesource.com/platform/frameworks/base/+/398b752a440f7d60198f9267334445aba4f9d4eb", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java", "function": "onPairingResult" }, "signature_type": "Function" }, { "digest": { "length": 401.0, "function_hash": "69443888503935950301500045610908345926" }, "id": "ASB-A-205836329-61ba1714", "source": "https://android.googlesource.com/platform/frameworks/base/+/398b752a440f7d60198f9267334445aba4f9d4eb", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java", "function": "updateUIPairCode" }, "signature_type": "Function" }, { "digest": { "length": 391.0, "function_hash": "216759512312419691307194172630549751020" }, "id": "ASB-A-205836329-d5030866", "source": "https://android.googlesource.com/platform/frameworks/base/+/398b752a440f7d60198f9267334445aba4f9d4eb", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java", "function": "sendServerConnectionState" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "250992010931258949528441133623276217929", "238938865862046255046433894841989459817", "287024772226743952697829319897336893686", "235754430573118450327720568203859539942", "285961896369217352623033459806180695196", "79966270103071456072311347210828268136", "117319914789414433299735823314905553893", "214445018262832220616068497676724827780", "256374124716744703704109059140891801788", "141310101586384782804719740356505934828", "71432980429338597679584283512183218559", "50011728795990130188653291872941003947", "177852429003666205744188007255958262889", "86615966631382548580541170759825407446", "54220915018434099458027709304193193372", "172352361912215064953713772687882833753", "52090689273353326284206217491614166848", "138569408808450206197128135988355074933", "82695979731248669925140286977722392081", "230027686912320493609694297595475150734", "31762888068000186702998477970379553200", "251551285150777538662565568171108305815", "192130505632250956040125212124228595405", "115056291531635762877163774590794326839", "223069806025697820854791390506337289988", "207064133989545484935813539786867371922", "205210580948247478497266171960886321747", "89274961258228163901377061442167766785", "328934991541292926540536101031988684141", "198932135795226965432400219121188818179" ] }, "id": "ASB-A-205836329-d7e2bb8e", "source": "https://android.googlesource.com/platform/frameworks/base/+/398b752a440f7d60198f9267334445aba4f9d4eb", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java" }, "signature_type": "Line" }, { "digest": { "length": 326.0, "function_hash": "225159457873463063356354899792285648828" }, "id": "ASB-A-205836329-dbd595af", "source": "https://android.googlesource.com/platform/frameworks/base/+/398b752a440f7d60198f9267334445aba4f9d4eb", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java", "function": "sendPairingPortToUI" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "79966270103071456072311347210828268136", "178895722724654217078468495541203041176", "101940901381823098014669629818112466589", "315453850069888374681992760279197617176" ] }, "id": "ASB-A-205836329-e9cab6f4", "source": "https://android.googlesource.com/platform/frameworks/base/+/398b752a440f7d60198f9267334445aba4f9d4eb", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/adb/AdbService.java" }, "signature_type": "Line" }, { "digest": { "length": 236.0, "function_hash": "31452819176191329589609936869751506078" }, "id": "ASB-A-205836329-f8717882", "source": "https://android.googlesource.com/platform/frameworks/base/+/398b752a440f7d60198f9267334445aba4f9d4eb", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java", "function": "sendPairedDevicesToUI" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/398b752a440f7d60198f9267334445aba4f9d4eb" ], "spl": "2022-04-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 867.0, "function_hash": "330933175472168456026758694636519539114" }, "id": "ASB-A-205836329-13f448b6", "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java", "function": "onPairingResult" }, "signature_type": "Function" }, { "digest": { "length": 236.0, "function_hash": "31452819176191329589609936869751506078" }, "id": "ASB-A-205836329-3c7a00ef", "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java", "function": "sendPairedDevicesToUI" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "79966270103071456072311347210828268136", "178895722724654217078468495541203041176", "101940901381823098014669629818112466589", "315453850069888374681992760279197617176" ] }, "id": "ASB-A-205836329-4afc1d35", "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/adb/AdbService.java" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "214460865753076858139981363307170759420", "57712084791171742259055495213241112872", "281788408117531611386521697779926993933", "71354227178570218253232203822130507410", "34143581265084156714169852221507932008", "206682769734304699586288905710274821956", "263455920462214863689287947825132999179" ] }, "id": "ASB-A-205836329-7a943e77", "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7", "deprecated": false, "signature_version": "v1", "target": { "file": "core/java/android/debug/AdbManager.java" }, "signature_type": "Line" }, { "digest": { "length": 450.0, "function_hash": "1809661410811964563646412563238828875" }, "id": "ASB-A-205836329-83d97736", "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/adb/AdbService.java", "function": "broadcastPortInfo" }, "signature_type": "Function" }, { "digest": { "length": 326.0, "function_hash": "225159457873463063356354899792285648828" }, "id": "ASB-A-205836329-85794a12", "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java", "function": "sendPairingPortToUI" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "250992010931258949528441133623276217929", "238938865862046255046433894841989459817", "287024772226743952697829319897336893686", "235754430573118450327720568203859539942", "285961896369217352623033459806180695196", "79966270103071456072311347210828268136", "117319914789414433299735823314905553893", "214445018262832220616068497676724827780", "256374124716744703704109059140891801788", "141310101586384782804719740356505934828", "71432980429338597679584283512183218559", "50011728795990130188653291872941003947", "177852429003666205744188007255958262889", "86615966631382548580541170759825407446", "54220915018434099458027709304193193372", "172352361912215064953713772687882833753", "52090689273353326284206217491614166848", "138569408808450206197128135988355074933", "82695979731248669925140286977722392081", "230027686912320493609694297595475150734", "31762888068000186702998477970379553200", "251551285150777538662565568171108305815", "192130505632250956040125212124228595405", "115056291531635762877163774590794326839", "223069806025697820854791390506337289988", "207064133989545484935813539786867371922", "205210580948247478497266171960886321747", "89274961258228163901377061442167766785", "328934991541292926540536101031988684141", "198932135795226965432400219121188818179" ] }, "id": "ASB-A-205836329-98a00589", "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java" }, "signature_type": "Line" }, { "digest": { "length": 391.0, "function_hash": "216759512312419691307194172630549751020" }, "id": "ASB-A-205836329-9b914832", "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java", "function": "sendServerConnectionState" }, "signature_type": "Function" }, { "digest": { "length": 401.0, "function_hash": "69443888503935950301500045610908345926" }, "id": "ASB-A-205836329-bc1ca153", "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java", "function": "updateUIPairCode" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7" ], "spl": "2022-04-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "250992010931258949528441133623276217929", "238938865862046255046433894841989459817", "287024772226743952697829319897336893686", "235754430573118450327720568203859539942", "285961896369217352623033459806180695196", "79966270103071456072311347210828268136", "117319914789414433299735823314905553893", "214445018262832220616068497676724827780", "256374124716744703704109059140891801788", "141310101586384782804719740356505934828", "71432980429338597679584283512183218559", "50011728795990130188653291872941003947", "177852429003666205744188007255958262889", "86615966631382548580541170759825407446", "54220915018434099458027709304193193372", "172352361912215064953713772687882833753", "52090689273353326284206217491614166848", "138569408808450206197128135988355074933", "82695979731248669925140286977722392081", "230027686912320493609694297595475150734", "31762888068000186702998477970379553200", "251551285150777538662565568171108305815", "192130505632250956040125212124228595405", "115056291531635762877163774590794326839", "223069806025697820854791390506337289988", "207064133989545484935813539786867371922", "205210580948247478497266171960886321747", "89274961258228163901377061442167766785", "328934991541292926540536101031988684141", "198932135795226965432400219121188818179" ] }, "id": "ASB-A-205836329-1e70350e", "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java" }, "signature_type": "Line" }, { "digest": { "length": 236.0, "function_hash": "31452819176191329589609936869751506078" }, "id": "ASB-A-205836329-21554da8", "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java", "function": "sendPairedDevicesToUI" }, "signature_type": "Function" }, { "digest": { "length": 867.0, "function_hash": "330933175472168456026758694636519539114" }, "id": "ASB-A-205836329-26e71d57", "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java", "function": "onPairingResult" }, "signature_type": "Function" }, { "digest": { "length": 391.0, "function_hash": "216759512312419691307194172630549751020" }, "id": "ASB-A-205836329-2704e454", "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java", "function": "sendServerConnectionState" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "214460865753076858139981363307170759420", "57712084791171742259055495213241112872", "281788408117531611386521697779926993933", "71354227178570218253232203822130507410", "34143581265084156714169852221507932008", "206682769734304699586288905710274821956", "263455920462214863689287947825132999179" ] }, "id": "ASB-A-205836329-3802f5d4", "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7", "deprecated": false, "signature_version": "v1", "target": { "file": "core/java/android/debug/AdbManager.java" }, "signature_type": "Line" }, { "digest": { "length": 326.0, "function_hash": "225159457873463063356354899792285648828" }, "id": "ASB-A-205836329-493654cc", "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java", "function": "sendPairingPortToUI" }, "signature_type": "Function" }, { "digest": { "length": 401.0, "function_hash": "69443888503935950301500045610908345926" }, "id": "ASB-A-205836329-66f22333", "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java", "function": "updateUIPairCode" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "79966270103071456072311347210828268136", "178895722724654217078468495541203041176", "101940901381823098014669629818112466589", "315453850069888374681992760279197617176" ] }, "id": "ASB-A-205836329-8c1828f3", "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/adb/AdbService.java" }, "signature_type": "Line" }, { "digest": { "length": 450.0, "function_hash": "1809661410811964563646412563238828875" }, "id": "ASB-A-205836329-ccb3a964", "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/adb/AdbService.java", "function": "broadcastPortInfo" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7" ], "spl": "2022-04-01", "severity": "High", "types": [ "EoP" ] }