ASB-A-205836329

See a problem?
Import Source
https://storage.googleapis.com/android-osv/ASB-A-205836329.json
JSON Data
https://api.osv.dev/v1/vulns/ASB-A-205836329
Aliases
  • A-205836329
  • CVE-2021-39794
Published
2022-04-01T00:00:00Z
Modified
2024-08-07T19:29:16.707242Z
Summary
Android 11-12 Normal App Privilege Escalation To ADB Shell
Details

In broadcastPortInfo of AdbService.java, there is a possible way for apps to run code as the shell user, if wireless debugging is enabled, due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

References

Affected packages

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11:0
Fixed
11:2022-04-01

Affected versions

Other

11

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "214460865753076858139981363307170759420",
                    "57712084791171742259055495213241112872",
                    "281788408117531611386521697779926993933",
                    "71354227178570218253232203822130507410",
                    "34143581265084156714169852221507932008",
                    "206682769734304699586288905710274821956",
                    "263455920462214863689287947825132999179"
                ]
            },
            "id": "ASB-A-205836329-3a07ed4c",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/398b752a440f7d60198f9267334445aba4f9d4eb",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "core/java/android/debug/AdbManager.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 450.0,
                "function_hash": "1809661410811964563646412563238828875"
            },
            "id": "ASB-A-205836329-4404b3ed",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/398b752a440f7d60198f9267334445aba4f9d4eb",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/adb/AdbService.java",
                "function": "broadcastPortInfo"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 867.0,
                "function_hash": "330933175472168456026758694636519539114"
            },
            "id": "ASB-A-205836329-5a141d88",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/398b752a440f7d60198f9267334445aba4f9d4eb",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java",
                "function": "onPairingResult"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 401.0,
                "function_hash": "69443888503935950301500045610908345926"
            },
            "id": "ASB-A-205836329-61ba1714",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/398b752a440f7d60198f9267334445aba4f9d4eb",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java",
                "function": "updateUIPairCode"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 391.0,
                "function_hash": "216759512312419691307194172630549751020"
            },
            "id": "ASB-A-205836329-d5030866",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/398b752a440f7d60198f9267334445aba4f9d4eb",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java",
                "function": "sendServerConnectionState"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "250992010931258949528441133623276217929",
                    "238938865862046255046433894841989459817",
                    "287024772226743952697829319897336893686",
                    "235754430573118450327720568203859539942",
                    "285961896369217352623033459806180695196",
                    "79966270103071456072311347210828268136",
                    "117319914789414433299735823314905553893",
                    "214445018262832220616068497676724827780",
                    "256374124716744703704109059140891801788",
                    "141310101586384782804719740356505934828",
                    "71432980429338597679584283512183218559",
                    "50011728795990130188653291872941003947",
                    "177852429003666205744188007255958262889",
                    "86615966631382548580541170759825407446",
                    "54220915018434099458027709304193193372",
                    "172352361912215064953713772687882833753",
                    "52090689273353326284206217491614166848",
                    "138569408808450206197128135988355074933",
                    "82695979731248669925140286977722392081",
                    "230027686912320493609694297595475150734",
                    "31762888068000186702998477970379553200",
                    "251551285150777538662565568171108305815",
                    "192130505632250956040125212124228595405",
                    "115056291531635762877163774590794326839",
                    "223069806025697820854791390506337289988",
                    "207064133989545484935813539786867371922",
                    "205210580948247478497266171960886321747",
                    "89274961258228163901377061442167766785",
                    "328934991541292926540536101031988684141",
                    "198932135795226965432400219121188818179"
                ]
            },
            "id": "ASB-A-205836329-d7e2bb8e",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/398b752a440f7d60198f9267334445aba4f9d4eb",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 326.0,
                "function_hash": "225159457873463063356354899792285648828"
            },
            "id": "ASB-A-205836329-dbd595af",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/398b752a440f7d60198f9267334445aba4f9d4eb",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java",
                "function": "sendPairingPortToUI"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "79966270103071456072311347210828268136",
                    "178895722724654217078468495541203041176",
                    "101940901381823098014669629818112466589",
                    "315453850069888374681992760279197617176"
                ]
            },
            "id": "ASB-A-205836329-e9cab6f4",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/398b752a440f7d60198f9267334445aba4f9d4eb",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/adb/AdbService.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 236.0,
                "function_hash": "31452819176191329589609936869751506078"
            },
            "id": "ASB-A-205836329-f8717882",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/398b752a440f7d60198f9267334445aba4f9d4eb",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java",
                "function": "sendPairedDevicesToUI"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/398b752a440f7d60198f9267334445aba4f9d4eb"
    ],
    "spl": "2022-04-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12:0
Fixed
12:2022-04-01

Affected versions

Other

12

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 867.0,
                "function_hash": "330933175472168456026758694636519539114"
            },
            "id": "ASB-A-205836329-13f448b6",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java",
                "function": "onPairingResult"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 236.0,
                "function_hash": "31452819176191329589609936869751506078"
            },
            "id": "ASB-A-205836329-3c7a00ef",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java",
                "function": "sendPairedDevicesToUI"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "79966270103071456072311347210828268136",
                    "178895722724654217078468495541203041176",
                    "101940901381823098014669629818112466589",
                    "315453850069888374681992760279197617176"
                ]
            },
            "id": "ASB-A-205836329-4afc1d35",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/adb/AdbService.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "214460865753076858139981363307170759420",
                    "57712084791171742259055495213241112872",
                    "281788408117531611386521697779926993933",
                    "71354227178570218253232203822130507410",
                    "34143581265084156714169852221507932008",
                    "206682769734304699586288905710274821956",
                    "263455920462214863689287947825132999179"
                ]
            },
            "id": "ASB-A-205836329-7a943e77",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "core/java/android/debug/AdbManager.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 450.0,
                "function_hash": "1809661410811964563646412563238828875"
            },
            "id": "ASB-A-205836329-83d97736",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/adb/AdbService.java",
                "function": "broadcastPortInfo"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 326.0,
                "function_hash": "225159457873463063356354899792285648828"
            },
            "id": "ASB-A-205836329-85794a12",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java",
                "function": "sendPairingPortToUI"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "250992010931258949528441133623276217929",
                    "238938865862046255046433894841989459817",
                    "287024772226743952697829319897336893686",
                    "235754430573118450327720568203859539942",
                    "285961896369217352623033459806180695196",
                    "79966270103071456072311347210828268136",
                    "117319914789414433299735823314905553893",
                    "214445018262832220616068497676724827780",
                    "256374124716744703704109059140891801788",
                    "141310101586384782804719740356505934828",
                    "71432980429338597679584283512183218559",
                    "50011728795990130188653291872941003947",
                    "177852429003666205744188007255958262889",
                    "86615966631382548580541170759825407446",
                    "54220915018434099458027709304193193372",
                    "172352361912215064953713772687882833753",
                    "52090689273353326284206217491614166848",
                    "138569408808450206197128135988355074933",
                    "82695979731248669925140286977722392081",
                    "230027686912320493609694297595475150734",
                    "31762888068000186702998477970379553200",
                    "251551285150777538662565568171108305815",
                    "192130505632250956040125212124228595405",
                    "115056291531635762877163774590794326839",
                    "223069806025697820854791390506337289988",
                    "207064133989545484935813539786867371922",
                    "205210580948247478497266171960886321747",
                    "89274961258228163901377061442167766785",
                    "328934991541292926540536101031988684141",
                    "198932135795226965432400219121188818179"
                ]
            },
            "id": "ASB-A-205836329-98a00589",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 391.0,
                "function_hash": "216759512312419691307194172630549751020"
            },
            "id": "ASB-A-205836329-9b914832",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java",
                "function": "sendServerConnectionState"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 401.0,
                "function_hash": "69443888503935950301500045610908345926"
            },
            "id": "ASB-A-205836329-bc1ca153",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java",
                "function": "updateUIPairCode"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7"
    ],
    "spl": "2022-04-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12L:0
Fixed
12L:2022-04-01

Affected versions

Other

12L

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "250992010931258949528441133623276217929",
                    "238938865862046255046433894841989459817",
                    "287024772226743952697829319897336893686",
                    "235754430573118450327720568203859539942",
                    "285961896369217352623033459806180695196",
                    "79966270103071456072311347210828268136",
                    "117319914789414433299735823314905553893",
                    "214445018262832220616068497676724827780",
                    "256374124716744703704109059140891801788",
                    "141310101586384782804719740356505934828",
                    "71432980429338597679584283512183218559",
                    "50011728795990130188653291872941003947",
                    "177852429003666205744188007255958262889",
                    "86615966631382548580541170759825407446",
                    "54220915018434099458027709304193193372",
                    "172352361912215064953713772687882833753",
                    "52090689273353326284206217491614166848",
                    "138569408808450206197128135988355074933",
                    "82695979731248669925140286977722392081",
                    "230027686912320493609694297595475150734",
                    "31762888068000186702998477970379553200",
                    "251551285150777538662565568171108305815",
                    "192130505632250956040125212124228595405",
                    "115056291531635762877163774590794326839",
                    "223069806025697820854791390506337289988",
                    "207064133989545484935813539786867371922",
                    "205210580948247478497266171960886321747",
                    "89274961258228163901377061442167766785",
                    "328934991541292926540536101031988684141",
                    "198932135795226965432400219121188818179"
                ]
            },
            "id": "ASB-A-205836329-1e70350e",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 236.0,
                "function_hash": "31452819176191329589609936869751506078"
            },
            "id": "ASB-A-205836329-21554da8",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java",
                "function": "sendPairedDevicesToUI"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 867.0,
                "function_hash": "330933175472168456026758694636519539114"
            },
            "id": "ASB-A-205836329-26e71d57",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java",
                "function": "onPairingResult"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 391.0,
                "function_hash": "216759512312419691307194172630549751020"
            },
            "id": "ASB-A-205836329-2704e454",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java",
                "function": "sendServerConnectionState"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "214460865753076858139981363307170759420",
                    "57712084791171742259055495213241112872",
                    "281788408117531611386521697779926993933",
                    "71354227178570218253232203822130507410",
                    "34143581265084156714169852221507932008",
                    "206682769734304699586288905710274821956",
                    "263455920462214863689287947825132999179"
                ]
            },
            "id": "ASB-A-205836329-3802f5d4",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "core/java/android/debug/AdbManager.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 326.0,
                "function_hash": "225159457873463063356354899792285648828"
            },
            "id": "ASB-A-205836329-493654cc",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java",
                "function": "sendPairingPortToUI"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 401.0,
                "function_hash": "69443888503935950301500045610908345926"
            },
            "id": "ASB-A-205836329-66f22333",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/adb/AdbDebuggingManager.java",
                "function": "updateUIPairCode"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "79966270103071456072311347210828268136",
                    "178895722724654217078468495541203041176",
                    "101940901381823098014669629818112466589",
                    "315453850069888374681992760279197617176"
                ]
            },
            "id": "ASB-A-205836329-8c1828f3",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/adb/AdbService.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 450.0,
                "function_hash": "1809661410811964563646412563238828875"
            },
            "id": "ASB-A-205836329-ccb3a964",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/adb/AdbService.java",
                "function": "broadcastPortInfo"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/dc7d96c9e50fb2cc38c1c53eb03b975f6de9d0e7"
    ],
    "spl": "2022-04-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}