In registerReceiverWithFeature of ActivityManagerService.java, there is a possible way for isolated processes to register a broadcast receiver due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 6173.0, "function_hash": "152932676432980376312038644622776302193" }, "id": "ASB-A-263358101-b98b346f", "source": "https://android.googlesource.com/platform/frameworks/base/+/43b8a91b0584dd1c6a136702e68e1f0cd519cb51", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/am/ActivityManagerService.java", "function": "registerReceiverWithFeature" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "214473966615738178518306172651600075848", "144445493020248977507263260612794207235", "123846932426842070665861656378649937707", "248061898277295565704131184295158899185", "250881491421487870269010148820150436192", "261597286108408192172661765512123600610", "12383996178456683922944852262336941246", "126682358563243152092669369697831739500", "289569127497408046308750434801925785998" ] }, "id": "ASB-A-263358101-f4189bc6", "source": "https://android.googlesource.com/platform/frameworks/base/+/43b8a91b0584dd1c6a136702e68e1f0cd519cb51", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/am/ActivityManagerService.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/43b8a91b0584dd1c6a136702e68e1f0cd519cb51" ], "spl": "2023-05-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 6202.0, "function_hash": "63084740659856142944913298477939814480" }, "id": "ASB-A-263358101-2025e6bd", "source": "https://android.googlesource.com/platform/frameworks/base/+/ca49ddc03fc161e11e4ea99a3e70ef766715410f", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/am/ActivityManagerService.java", "function": "registerReceiverWithFeature" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "214473966615738178518306172651600075848", "144445493020248977507263260612794207235", "123846932426842070665861656378649937707", "248061898277295565704131184295158899185", "250881491421487870269010148820150436192", "261597286108408192172661765512123600610", "12383996178456683922944852262336941246", "126682358563243152092669369697831739500", "289569127497408046308750434801925785998" ] }, "id": "ASB-A-263358101-af28caf6", "source": "https://android.googlesource.com/platform/frameworks/base/+/ca49ddc03fc161e11e4ea99a3e70ef766715410f", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/am/ActivityManagerService.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/ca49ddc03fc161e11e4ea99a3e70ef766715410f" ], "spl": "2023-05-01", "severity": "High", "types": [ "EoP" ] }