ASB-A-219044664

See a problem?
Import Source
https://storage.googleapis.com/android-osv/ASB-A-219044664.json
JSON Data
https://api.osv.dev/v1/vulns/ASB-A-219044664
Aliases
  • A-219044664
  • CVE-2022-20005
Published
2022-05-01T00:00:00Z
Modified
2024-08-07T19:29:40.403771Z
Summary
INSTALL_DONT_KILL_APP can be used to force a mismatch between running code and a parsed APK
Details

In validateApkInstallLocked of PackageInstallerSession.java, there is a way to force a mismatch between running code and a parsed APK . This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10:0
Fixed
10:2022-05-01

Affected versions

Other

10

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 6954.0,
                "function_hash": "231990516022432859515481353455776451874"
            },
            "id": "ASB-A-219044664-1a69041b",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/a5dd59db6d1889ae0aa95ef01bbf8c98e360a2f2",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/PackageInstallerSession.java",
                "function": "validateApkInstallLocked"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "180540424809410108203819155674178703077",
                    "310192941804949544849809573407891877990",
                    "119835757437939988808744406930910971941",
                    "70541103374231375402887502243412630152",
                    "33594561195262327339142717655851560430",
                    "155927009038804990930832153736923090981",
                    "250405756640230757845653727125355385240",
                    "203884490892640686155713902095510326404",
                    "99683244548145421579673942579196578890",
                    "240835686705695241023296524170794580937",
                    "250527447965076997283029578436906981614",
                    "117468068627482448288391961128067969669"
                ]
            },
            "id": "ASB-A-219044664-837b635c",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/a5dd59db6d1889ae0aa95ef01bbf8c98e360a2f2",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/PackageInstallerSession.java"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/a5dd59db6d1889ae0aa95ef01bbf8c98e360a2f2"
    ],
    "spl": "2022-05-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11:0
Fixed
11:2022-05-01

Affected versions

Other

11

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "180540424809410108203819155674178703077",
                    "310192941804949544849809573407891877990",
                    "119835757437939988808744406930910971941",
                    "70541103374231375402887502243412630152",
                    "33594561195262327339142717655851560430",
                    "155927009038804990930832153736923090981",
                    "250405756640230757845653727125355385240",
                    "203884490892640686155713902095510326404",
                    "99683244548145421579673942579196578890",
                    "30731540922810736168728098478051819998",
                    "234229738927911877615018910976101797115",
                    "247795310976460709509992912805621675362"
                ]
            },
            "id": "ASB-A-219044664-8b7c1747",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/52a4337a4790350e8270b0712d9977159c07e096",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/PackageInstallerSession.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 7728.0,
                "function_hash": "182370216373814584356638447485313003128"
            },
            "id": "ASB-A-219044664-f8cfcde2",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/52a4337a4790350e8270b0712d9977159c07e096",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/PackageInstallerSession.java",
                "function": "validateApkInstallLocked"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/52a4337a4790350e8270b0712d9977159c07e096"
    ],
    "spl": "2022-05-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12:0
Fixed
12:2022-05-01

Affected versions

Other

12

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "126649318037345343753490697120452954107",
                    "194773562856015092151238496551787168544",
                    "232480445117399624084228075804858210752",
                    "70541103374231375402887502243412630152",
                    "171320219436343288127093230170613975268",
                    "241106788494647486170183478616371241689",
                    "286485087625539031559168727923564794757",
                    "119023713081308280265343167240695200326",
                    "99683244548145421579673942579196578890",
                    "30731540922810736168728098478051819998",
                    "234229738927911877615018910976101797115",
                    "247795310976460709509992912805621675362"
                ]
            },
            "id": "ASB-A-219044664-71a43813",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/5b2e8af805e559c484f4c17d96459a3284d48824",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/PackageInstallerSession.java"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 8530.0,
                "function_hash": "208139483470825842445175165543268099324"
            },
            "id": "ASB-A-219044664-81a2541b",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/5b2e8af805e559c484f4c17d96459a3284d48824",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/PackageInstallerSession.java",
                "function": "validateApkInstallLocked"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/5b2e8af805e559c484f4c17d96459a3284d48824"
    ],
    "spl": "2022-05-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
12L:0
Fixed
12L:2022-05-01

Affected versions

Other

12L

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 8530.0,
                "function_hash": "208139483470825842445175165543268099324"
            },
            "id": "ASB-A-219044664-5262c664",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/36b0e9e94c3af7e5f81b88d68447c890d1126498",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/PackageInstallerSession.java",
                "function": "validateApkInstallLocked"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "126649318037345343753490697120452954107",
                    "194773562856015092151238496551787168544",
                    "232480445117399624084228075804858210752",
                    "70541103374231375402887502243412630152",
                    "171320219436343288127093230170613975268",
                    "241106788494647486170183478616371241689",
                    "286485087625539031559168727923564794757",
                    "119023713081308280265343167240695200326",
                    "99683244548145421579673942579196578890",
                    "30731540922810736168728098478051819998",
                    "234229738927911877615018910976101797115",
                    "247795310976460709509992912805621675362"
                ]
            },
            "id": "ASB-A-219044664-967ee436",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/36b0e9e94c3af7e5f81b88d68447c890d1126498",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/pm/PackageInstallerSession.java"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/36b0e9e94c3af7e5f81b88d68447c890d1126498"
    ],
    "spl": "2022-05-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}