In retrieveServiceLocked of ActiveServices.java, there is a possible way to dynamically register a BroadcastReceiver using permissions of System App due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 8820.0, "function_hash": "216548716323191802951229366658254318471" }, "id": "ASB-A-242040055-57be390e", "source": "https://android.googlesource.com/platform/frameworks/base/+/790a8d0dd329460bc60456681cb446accf2a27e0", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/am/ActiveServices.java", "function": "retrieveServiceLocked" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "55588285223667247134227640611154823163", "207445359602225235167182124341087884773", "233467424907378942754521188775349457677", "86491822422217330916939975194732782084" ] }, "id": "ASB-A-242040055-974fe156", "source": "https://android.googlesource.com/platform/frameworks/base/+/790a8d0dd329460bc60456681cb446accf2a27e0", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/am/ActiveServices.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/790a8d0dd329460bc60456681cb446accf2a27e0" ], "spl": "2023-04-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 7321.0, "function_hash": "201736581176026588707715363377540875288" }, "id": "ASB-A-242040055-17970a8d", "source": "https://android.googlesource.com/platform/frameworks/base/+/4f0dc37b896e06086391e71ce471e413215e1130", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/am/ActiveServices.java", "function": "retrieveServiceLocked" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "55588285223667247134227640611154823163", "207445359602225235167182124341087884773", "233467424907378942754521188775349457677", "86491822422217330916939975194732782084" ] }, "id": "ASB-A-242040055-e53d1fdb", "source": "https://android.googlesource.com/platform/frameworks/base/+/4f0dc37b896e06086391e71ce471e413215e1130", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/am/ActiveServices.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/4f0dc37b896e06086391e71ce471e413215e1130" ], "spl": "2023-04-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "55588285223667247134227640611154823163", "207445359602225235167182124341087884773", "233467424907378942754521188775349457677", "86491822422217330916939975194732782084" ] }, "id": "ASB-A-242040055-78058151", "source": "https://android.googlesource.com/platform/frameworks/base/+/8460609f01147d2a7e849eca1ca895211530b589", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/am/ActiveServices.java" }, "signature_type": "Line" }, { "digest": { "length": 8362.0, "function_hash": "58200418806009731186248907486968895829" }, "id": "ASB-A-242040055-c373130f", "source": "https://android.googlesource.com/platform/frameworks/base/+/8460609f01147d2a7e849eca1ca895211530b589", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/am/ActiveServices.java", "function": "retrieveServiceLocked" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/8460609f01147d2a7e849eca1ca895211530b589" ], "spl": "2023-04-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 8362.0, "function_hash": "58200418806009731186248907486968895829" }, "id": "ASB-A-242040055-2b882130", "source": "https://android.googlesource.com/platform/frameworks/base/+/8bf1ae31eec0a5673dd55896e7b6de5e0bbe0460", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/am/ActiveServices.java", "function": "retrieveServiceLocked" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "55588285223667247134227640611154823163", "207445359602225235167182124341087884773", "233467424907378942754521188775349457677", "86491822422217330916939975194732782084" ] }, "id": "ASB-A-242040055-65b672aa", "source": "https://android.googlesource.com/platform/frameworks/base/+/8bf1ae31eec0a5673dd55896e7b6de5e0bbe0460", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/am/ActiveServices.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/8bf1ae31eec0a5673dd55896e7b6de5e0bbe0460" ], "spl": "2023-04-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 8362.0, "function_hash": "58200418806009731186248907486968895829" }, "id": "ASB-A-242040055-3ed434eb", "source": "https://android.googlesource.com/platform/frameworks/base/+/8bf1ae31eec0a5673dd55896e7b6de5e0bbe0460", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/am/ActiveServices.java", "function": "retrieveServiceLocked" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "55588285223667247134227640611154823163", "207445359602225235167182124341087884773", "233467424907378942754521188775349457677", "86491822422217330916939975194732782084" ] }, "id": "ASB-A-242040055-78448841", "source": "https://android.googlesource.com/platform/frameworks/base/+/8bf1ae31eec0a5673dd55896e7b6de5e0bbe0460", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/am/ActiveServices.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/8bf1ae31eec0a5673dd55896e7b6de5e0bbe0460" ], "spl": "2023-04-01", "severity": "High", "types": [ "EoP" ] }