In updateServicesLocked of AccessibilityManagerService.java, there is a possible way for an app to be hidden from the Setting while retaining Accessibility Service due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "16351716779938417858222206942405565388", "318233294777691992028525546815303117132", "69102399445628845693840405755057925358", "17282063580431758823195469718657335965", "29241121102181293544482375847729051410", "32916341052150067112772034552314723220", "83684619035523255534892517589474714090", "241844383312430506646807325760702564423", "146927061287855307579181888815117374125", "32016434898657174529706919366923317883", "128209730887649040410085733263337595484" ] }, "id": "ASB-A-326485767-42808d95", "source": "https://android.googlesource.com/platform/frameworks/base/+/5405514a23edcba0cf30e6ec78189e3f4e7d95cf", "deprecated": false, "signature_version": "v1", "target": { "file": "services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java" }, "signature_type": "Line" }, { "digest": { "length": 1702.0, "function_hash": "237481197364134205644156268512456040514" }, "id": "ASB-A-326485767-94947aaf", "source": "https://android.googlesource.com/platform/frameworks/base/+/5405514a23edcba0cf30e6ec78189e3f4e7d95cf", "deprecated": false, "signature_version": "v1", "target": { "file": "services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java", "function": "updateServicesLocked" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/5405514a23edcba0cf30e6ec78189e3f4e7d95cf" ], "spl": "2024-06-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "16351716779938417858222206942405565388", "318233294777691992028525546815303117132", "69102399445628845693840405755057925358", "17282063580431758823195469718657335965", "29241121102181293544482375847729051410", "32916341052150067112772034552314723220", "83684619035523255534892517589474714090", "241844383312430506646807325760702564423", "146927061287855307579181888815117374125", "32016434898657174529706919366923317883", "128209730887649040410085733263337595484" ] }, "id": "ASB-A-326485767-37a1a064", "source": "https://android.googlesource.com/platform/frameworks/base/+/412427d7a8c99fd0470483a5a20b50ba8642a1db", "deprecated": false, "signature_version": "v1", "target": { "file": "services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java" }, "signature_type": "Line" }, { "digest": { "length": 1702.0, "function_hash": "237481197364134205644156268512456040514" }, "id": "ASB-A-326485767-92640f7b", "source": "https://android.googlesource.com/platform/frameworks/base/+/412427d7a8c99fd0470483a5a20b50ba8642a1db", "deprecated": false, "signature_version": "v1", "target": { "file": "services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java", "function": "updateServicesLocked" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/412427d7a8c99fd0470483a5a20b50ba8642a1db" ], "spl": "2024-06-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "16351716779938417858222206942405565388", "318233294777691992028525546815303117132", "69102399445628845693840405755057925358", "17282063580431758823195469718657335965", "29241121102181293544482375847729051410", "32916341052150067112772034552314723220", "83684619035523255534892517589474714090", "241844383312430506646807325760702564423", "146927061287855307579181888815117374125", "32016434898657174529706919366923317883", "128209730887649040410085733263337595484" ] }, "id": "ASB-A-326485767-8a83a444", "source": "https://android.googlesource.com/platform/frameworks/base/+/766911c3312573196b33efd1c3c29ccece806846", "deprecated": false, "signature_version": "v1", "target": { "file": "services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java" }, "signature_type": "Line" }, { "digest": { "length": 1702.0, "function_hash": "237481197364134205644156268512456040514" }, "id": "ASB-A-326485767-8f6d884a", "source": "https://android.googlesource.com/platform/frameworks/base/+/766911c3312573196b33efd1c3c29ccece806846", "deprecated": false, "signature_version": "v1", "target": { "file": "services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java", "function": "updateServicesLocked" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/766911c3312573196b33efd1c3c29ccece806846" ], "spl": "2024-06-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "203559070635639168501251831115072699849", "110995883530772940642188919209479069590", "79433123240605589203927884978662908669", "17282063580431758823195469718657335965", "29241121102181293544482375847729051410", "32916341052150067112772034552314723220", "83684619035523255534892517589474714090", "241844383312430506646807325760702564423", "146927061287855307579181888815117374125", "32016434898657174529706919366923317883", "71083680968358107861588739952857861883" ] }, "id": "ASB-A-326485767-adef4a9a", "source": "https://android.googlesource.com/platform/frameworks/base/+/f6192d3a77520d40b6a93de8f45400e19f5ba29f", "deprecated": false, "signature_version": "v1", "target": { "file": "services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java" }, "signature_type": "Line" }, { "digest": { "length": 1936.0, "function_hash": "125819437784231376011864688327948081010" }, "id": "ASB-A-326485767-e560472a", "source": "https://android.googlesource.com/platform/frameworks/base/+/f6192d3a77520d40b6a93de8f45400e19f5ba29f", "deprecated": false, "signature_version": "v1", "target": { "file": "services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java", "function": "updateServicesLocked" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/f6192d3a77520d40b6a93de8f45400e19f5ba29f" ], "spl": "2024-06-01", "severity": "High", "types": [ "EoP" ] }