In onPrimaryClipChanged of ClipboardListener.java, there is a possible way to bypass factory reset protection due to incorrect UI being shown prior to setup completion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "156089486446672276104939384709799485012", "247489564588645683066041968166888899408", "159333107798570288722831522931981089116", "7779789082296313623919544458835083841" ] }, "id": "ASB-A-251778420-1ba90f53", "source": "https://android.googlesource.com/platform/frameworks/base/+/828a0f4119dc9fcc4d37b7bebf273e50ad9452f8", "deprecated": false, "signature_version": "v1", "target": { "file": "packages/SystemUI/src/com/android/systemui/clipboardoverlay/ClipboardOverlayEvent.java" }, "signature_type": "Line" }, { "digest": { "length": 370.0, "function_hash": "163616617409505397925772287913492927131" }, "id": "ASB-A-251778420-e65b21b2", "source": "https://android.googlesource.com/platform/frameworks/base/+/828a0f4119dc9fcc4d37b7bebf273e50ad9452f8", "deprecated": false, "signature_version": "v1", "target": { "file": "packages/SystemUI/src/com/android/systemui/clipboardoverlay/ClipboardListener.java", "function": "ClipboardListener" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "309581880082468664890615874362150298307", "290713473686484743134435199018660868192", "125086800664531810233244192573394945604", "213397167234201302211258576993310905521", "278022484617456028622226787674637850115", "223822114968220071995820990362281277239", "60254624148788914146812642766198597675", "122477520417919189248448050365781709757", "131612434293971132997415771018155786932", "269608855099054148987306395709298825063", "122452521751584533698827875918308582641", "74404033281583706059496170027092788709", "19406050301543940170011858521462660821", "257953885181127943614555779612410865412", "151674660547208224282796242661472765441", "241456740878156651035435419854837801161", "271939621894415413819538425139888966960", "286854077548159339452735490885179277316", "12032462277226907458175941468009316201", "193313797412553161777221056153129801807", "248560729695152217155726981239557645810", "156321972731938097640597609995111951200", "75738616800887975703766665217168134669", "108942948949134335390799107156065291892", "70759375248159447586080211205304490687", "63117889591247637637495899209034550212", "95057946815911575937226800607872892391", "334913295936487476872037364203414688009", "310139932874319052922534928380921507855", "229863061187885724883184160459852161773" ] }, "id": "ASB-A-251778420-f7763afd", "source": "https://android.googlesource.com/platform/frameworks/base/+/828a0f4119dc9fcc4d37b7bebf273e50ad9452f8", "deprecated": false, "signature_version": "v1", "target": { "file": "packages/SystemUI/src/com/android/systemui/clipboardoverlay/ClipboardListener.java" }, "signature_type": "Line" }, { "digest": { "length": 858.0, "function_hash": "219351335013367947261065571847453308197" }, "id": "ASB-A-251778420-fd45b4c8", "source": "https://android.googlesource.com/platform/frameworks/base/+/828a0f4119dc9fcc4d37b7bebf273e50ad9452f8", "deprecated": false, "signature_version": "v1", "target": { "file": "packages/SystemUI/src/com/android/systemui/clipboardoverlay/ClipboardListener.java", "function": "onPrimaryClipChanged" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/828a0f4119dc9fcc4d37b7bebf273e50ad9452f8" ], "spl": "2023-03-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "309581880082468664890615874362150298307", "290713473686484743134435199018660868192", "125086800664531810233244192573394945604", "213397167234201302211258576993310905521", "278022484617456028622226787674637850115", "223822114968220071995820990362281277239", "60254624148788914146812642766198597675", "122477520417919189248448050365781709757", "131612434293971132997415771018155786932", "125779980347631476019928671724312763687", "169493190944002751429899487613272271182", "66879199921287805607875445529951955848", "314842808877825538817675070553731191825", "25229828275610777341056241225813543088", "281089925387180210179754115820347940627", "170124664270987702032518632205966714408", "195365186065560602252128432150883688526", "104183916122917838078245832284816992076", "98812802323807388100124691672265923753", "74503409301123797152219791772415137143", "330786941628146078507284131374059267072", "203857675260388581819490843047309835141", "52755846890464675160805277348157355398", "70759375248159447586080211205304490687", "63117889591247637637495899209034550212", "95057946815911575937226800607872892391", "255968344502106778106651872309622454916" ] }, "id": "ASB-A-251778420-19954fb6", "source": "https://android.googlesource.com/platform/frameworks/base/+/d7a278b39b01cc702b662be8b34bce1d57a9c1bc", "deprecated": false, "signature_version": "v1", "target": { "file": "packages/SystemUI/src/com/android/systemui/clipboardoverlay/ClipboardListener.java" }, "signature_type": "Line" }, { "digest": { "length": 205.0, "function_hash": "183291673990674099932770244616853195957" }, "id": "ASB-A-251778420-c3f65ed1", "source": "https://android.googlesource.com/platform/frameworks/base/+/d7a278b39b01cc702b662be8b34bce1d57a9c1bc", "deprecated": false, "signature_version": "v1", "target": { "file": "packages/SystemUI/src/com/android/systemui/clipboardoverlay/ClipboardListener.java", "function": "ClipboardListener" }, "signature_type": "Function" }, { "digest": { "length": 700.0, "function_hash": "279707309442175443040838845589895096753" }, "id": "ASB-A-251778420-ca61cee5", "source": "https://android.googlesource.com/platform/frameworks/base/+/d7a278b39b01cc702b662be8b34bce1d57a9c1bc", "deprecated": false, "signature_version": "v1", "target": { "file": "packages/SystemUI/src/com/android/systemui/clipboardoverlay/ClipboardListener.java", "function": "onPrimaryClipChanged" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "156089486446672276104939384709799485012", "247489564588645683066041968166888899408", "159333107798570288722831522931981089116", "7779789082296313623919544458835083841" ] }, "id": "ASB-A-251778420-d886441c", "source": "https://android.googlesource.com/platform/frameworks/base/+/d7a278b39b01cc702b662be8b34bce1d57a9c1bc", "deprecated": false, "signature_version": "v1", "target": { "file": "packages/SystemUI/src/com/android/systemui/clipboardoverlay/ClipboardOverlayEvent.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/d7a278b39b01cc702b662be8b34bce1d57a9c1bc" ], "spl": "2023-03-01", "severity": "High", "types": [ "EoP" ] }