In accesssecureservicefromtempbond of btmsec.cc, there is a possible way to achieve keystroke injection due to improper input validation. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 232.0, "function_hash": "333735336583064087039902703448593069282" }, "id": "ASB-A-318374503-3ca3c81e", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/9402b43e919b3706d33a4534e13468b95896b5c5", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/btm/btm_sec.cc", "function": "access_secure_service_from_temp_bond" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "73020516892836227850873902746339412076", "225516260501769301590541943710397904252", "105654584775185336510310529998476958019", "325063771327590450643352016418496974272" ] }, "id": "ASB-A-318374503-c8a82fef", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/9402b43e919b3706d33a4534e13468b95896b5c5", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/btm/btm_sec.cc" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/9402b43e919b3706d33a4534e13468b95896b5c5" ], "spl": "2024-03-01", "severity": "Critical", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "231790709002883891973800308045898413132", "295905668830846017767970564492123207739", "295610151115085055824572039453931712567", "17400750266784036359344154410214078877", "227633893623229621582798433050040704196" ] }, "id": "ASB-A-318374503-88fe4656", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/62944f39f502b28687a5142ec2d77585525591bc", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/btm/btm_sec.cc" }, "signature_type": "Line" }, { "digest": { "length": 212.0, "function_hash": "115920379014818069597213206974632673599" }, "id": "ASB-A-318374503-9eb84a84", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/62944f39f502b28687a5142ec2d77585525591bc", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/btm/btm_sec.cc", "function": "access_secure_service_from_temp_bond" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/62944f39f502b28687a5142ec2d77585525591bc" ], "spl": "2024-03-01", "severity": "Critical", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "231790709002883891973800308045898413132", "295905668830846017767970564492123207739", "295610151115085055824572039453931712567", "17400750266784036359344154410214078877", "227633893623229621582798433050040704196" ] }, "id": "ASB-A-318374503-6f9c3a80", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/62944f39f502b28687a5142ec2d77585525591bc", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/btm/btm_sec.cc" }, "signature_type": "Line" }, { "digest": { "length": 212.0, "function_hash": "115920379014818069597213206974632673599" }, "id": "ASB-A-318374503-8054a4a2", "source": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/62944f39f502b28687a5142ec2d77585525591bc", "deprecated": false, "signature_version": "v1", "target": { "file": "system/stack/btm/btm_sec.cc", "function": "access_secure_service_from_temp_bond" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/62944f39f502b28687a5142ec2d77585525591bc" ], "spl": "2024-03-01", "severity": "Critical", "types": [ "EoP" ] }