In setSkipPrompt of AssociationRequest.java , there is a possible way to establish a companion device association without any confirmation due to CDM. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "67950038913822548496977403571025662121", "222725767583171763006265824348111716351", "286500330299365691393581685729299877668", "166044803054551522655759985343015696389", "151376619027520813586001682013091186310", "194068989226376155571126814800988254819", "257382018809139542673220738604381729552" ] }, "id": "ASB-A-329230490-6b902821", "source": "https://android.googlesource.com/platform/frameworks/base/+/71418ecfa539b99d9bb0053d1de5060040bdf02f", "deprecated": false, "signature_version": "v1", "target": { "file": "services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java" }, "signature_type": "Line" }, { "digest": { "length": 1588.0, "function_hash": "37463952415737052809221431915743857188" }, "id": "ASB-A-329230490-a592a235", "source": "https://android.googlesource.com/platform/frameworks/base/+/71418ecfa539b99d9bb0053d1de5060040bdf02f", "deprecated": false, "signature_version": "v1", "target": { "file": "services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java", "function": "associate" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/56ac420b653da3f716f37a77780d7a74bc5fc439", "https://android.googlesource.com/platform/frameworks/base/+/71418ecfa539b99d9bb0053d1de5060040bdf02f" ], "spl": "2024-07-01", "severity": "Critical", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "67950038913822548496977403571025662121", "222725767583171763006265824348111716351", "286500330299365691393581685729299877668", "166044803054551522655759985343015696389", "151376619027520813586001682013091186310", "194068989226376155571126814800988254819", "257382018809139542673220738604381729552" ] }, "id": "ASB-A-329230490-3f23a8b1", "source": "https://android.googlesource.com/platform/frameworks/base/+/f28e88e53d57779fff5900d1811ffa07ab174640", "deprecated": false, "signature_version": "v1", "target": { "file": "services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java" }, "signature_type": "Line" }, { "digest": { "length": 1683.0, "function_hash": "65861310754994395892854568185787642004" }, "id": "ASB-A-329230490-8ac5bf9f", "source": "https://android.googlesource.com/platform/frameworks/base/+/f28e88e53d57779fff5900d1811ffa07ab174640", "deprecated": false, "signature_version": "v1", "target": { "file": "services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java", "function": "associate" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/be2e3b05858ba7a6349f5487d2658d00853b11cd", "https://android.googlesource.com/platform/frameworks/base/+/f28e88e53d57779fff5900d1811ffa07ab174640" ], "spl": "2024-07-01", "severity": "Critical", "types": [ "EoP" ] }