In CompanionDeviceManagerService.java, there is a possible way to pair a companion device without user acceptance due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 379.0, "function_hash": "102204838511393825562015089429236352000" }, "id": "ASB-A-313428840-8fae5daa", "source": "https://android.googlesource.com/platform/frameworks/base/+/1f31bb181fc56f3deab5ce0d199220404991c438", "deprecated": false, "signature_version": "v1", "target": { "file": "services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java", "function": "onShellCommand" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "188594284336700554854397148804721010541", "145320688309268345662152260291470725413", "7431628385945509680077112363191503693", "100714508666420622330621387876412571307", "191964982586776928958714552677092622024", "95171455182987912448171911664558991177", "47304871896001922448253629926867884951", "96175693692410008216253105950369440776", "190808728275320663413579279295464299389", "35098791035505035869716637782121295573", "205674531604651006279888049728957429478", "259825123994287145354548690475839784389", "303513712870750449856777415963882022463", "110065593151944494037361116776898686475", "309970897985635709644794294013147668243", "160630655781335695108291450589529055142" ] }, "id": "ASB-A-313428840-f8389a01", "source": "https://android.googlesource.com/platform/frameworks/base/+/1f31bb181fc56f3deab5ce0d199220404991c438", "deprecated": false, "signature_version": "v1", "target": { "file": "services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/1f31bb181fc56f3deab5ce0d199220404991c438" ], "spl": "2024-06-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "198417102019566965033004324174900915000", "106731530058025131814064552595365079508", "259854388630901689928062483535759239212", "177116941139200848688262351973357514853", "250278039044071273978507250667799992651", "178672541915472496330539980743169647956", "7431628385945509680077112363191503693", "246953437866070915788126880217937169120", "293772405389057592984504696320407616179", "148240534737526401940279042131038406955", "110494622924150882873229481353539473841", "96175693692410008216253105950369440776", "190808728275320663413579279295464299389", "273728074536137173621308549930505367168", "184498651880435337515698787098679684847", "122856698942481140566106757287080089266", "277499077012557027664116691943745193601" ] }, "id": "ASB-A-313428840-a1e7ca6e", "source": "https://android.googlesource.com/platform/frameworks/base/+/8d008c61451dba86aa9f14c6bcd661db2cea4856", "deprecated": false, "signature_version": "v1", "target": { "file": "services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java" }, "signature_type": "Line" }, { "digest": { "length": 214.0, "function_hash": "155144965027971143031095477841855440924" }, "id": "ASB-A-313428840-f3953abf", "source": "https://android.googlesource.com/platform/frameworks/base/+/8d008c61451dba86aa9f14c6bcd661db2cea4856", "deprecated": false, "signature_version": "v1", "target": { "file": "services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java", "function": "onShellCommand" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/8d008c61451dba86aa9f14c6bcd661db2cea4856" ], "spl": "2024-06-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 214.0, "function_hash": "155144965027971143031095477841855440924" }, "id": "ASB-A-313428840-6593c2bd", "source": "https://android.googlesource.com/platform/frameworks/base/+/eb68b0d423afb55159b1c02b0897f597c0905916", "deprecated": false, "signature_version": "v1", "target": { "file": "services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java", "function": "onShellCommand" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "198417102019566965033004324174900915000", "106731530058025131814064552595365079508", "259854388630901689928062483535759239212", "177116941139200848688262351973357514853", "250278039044071273978507250667799992651", "178672541915472496330539980743169647956", "7431628385945509680077112363191503693", "246953437866070915788126880217937169120", "293772405389057592984504696320407616179", "148240534737526401940279042131038406955", "110494622924150882873229481353539473841", "96175693692410008216253105950369440776", "190808728275320663413579279295464299389", "273728074536137173621308549930505367168", "184498651880435337515698787098679684847", "122856698942481140566106757287080089266", "277499077012557027664116691943745193601" ] }, "id": "ASB-A-313428840-ce5e4705", "source": "https://android.googlesource.com/platform/frameworks/base/+/eb68b0d423afb55159b1c02b0897f597c0905916", "deprecated": false, "signature_version": "v1", "target": { "file": "services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/eb68b0d423afb55159b1c02b0897f597c0905916" ], "spl": "2024-06-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 364.0, "function_hash": "213505421070328446555639739870397291866" }, "id": "ASB-A-313428840-1d48c105", "source": "https://android.googlesource.com/platform/frameworks/base/+/1ae3b43c248cdf5ee63311f06acd0ee19d93f0cd", "deprecated": false, "signature_version": "v1", "target": { "file": "services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java", "function": "onShellCommand" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "224823870887417987122034460775929210660", "46025526446874290439700405031423217070", "133182271192193300113214878455391897200", "67104893964950896427422683247559532800", "188594284336700554854397148804721010541", "145320688309268345662152260291470725413", "7431628385945509680077112363191503693", "100714508666420622330621387876412571307", "191964982586776928958714552677092622024", "95171455182987912448171911664558991177", "47304871896001922448253629926867884951", "96175693692410008216253105950369440776", "190808728275320663413579279295464299389", "80404283468252972241490381301765285172", "327466180200887364537581424535003343113", "264105563878247808248529109610066493092", "113813386604831852471690434044119960007", "330536976961184503700755228623585881764", "73931761952328427351917291064524100114", "157426751914106267864970440405581315537", "110632165724422251277447466530839143976", "121866084840164263896269922453974290945" ] }, "id": "ASB-A-313428840-a4a7a2fb", "source": "https://android.googlesource.com/platform/frameworks/base/+/1ae3b43c248cdf5ee63311f06acd0ee19d93f0cd", "deprecated": false, "signature_version": "v1", "target": { "file": "services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/1ae3b43c248cdf5ee63311f06acd0ee19d93f0cd" ], "spl": "2024-06-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "188594284336700554854397148804721010541", "145320688309268345662152260291470725413", "7431628385945509680077112363191503693", "100714508666420622330621387876412571307", "191964982586776928958714552677092622024", "95171455182987912448171911664558991177", "47304871896001922448253629926867884951", "96175693692410008216253105950369440776", "190808728275320663413579279295464299389", "35098791035505035869716637782121295573", "28635933736701976854884262025547592214", "102117236988273943933989309643162366509", "162584322155829619721750585531513676310", "117336191363162470512981144321104059964", "309970897985635709644794294013147668243", "160630655781335695108291450589529055142" ] }, "id": "ASB-A-313428840-b7b6be60", "source": "https://android.googlesource.com/platform/frameworks/base/+/54c968aaa66e9364bc0380c9a57af5c6844759aa", "deprecated": false, "signature_version": "v1", "target": { "file": "services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java" }, "signature_type": "Line" }, { "digest": { "length": 382.0, "function_hash": "336279034343393733676619928393466321382" }, "id": "ASB-A-313428840-d256bd2c", "source": "https://android.googlesource.com/platform/frameworks/base/+/54c968aaa66e9364bc0380c9a57af5c6844759aa", "deprecated": false, "signature_version": "v1", "target": { "file": "services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java", "function": "onShellCommand" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/54c968aaa66e9364bc0380c9a57af5c6844759aa" ], "spl": "2024-06-01", "severity": "High", "types": [ "EoP" ] }