CVE-2022-20004 - Improper Input Validation Vulnerability in checkSlicePermission of SliceManagerService.java on Android 10, 11, 12, and 12L

A local privilege escalation vulnerability has been discovered within the Android operating system versions 10, 11, 12, and 12L. This vulnerability, given the identifier "CVE-2022-20004," originates from an improper input validation issue in the 'checkSlicePermission' function of 'SliceManagerService.java' file. The flaw potentially allows an attacker to access any slice URI without proper authorization, thereby escalating their privileges on the target device.

Details

This vulnerability arises due to insufficient validation of user-supplied inputs within the 'checkSlicePermission' function in 'SliceManagerService.java,' which is responsible for ensuring that only authorized entities can access slice URIs. As a result, a malformed input could bypass the access control mechanism, granting unintended access to crucial system resources.

The problematic code snippet from 'SliceManagerService.java' can be found below

void checkSlicePermission(Uri uri, int pid, int uid) {
    if (mContext.checkPermission(permission.INTERACT_ACROSS_USERS, pid, uid) != PERMISSION_GRANTED) {
        throw new SecurityException("Permission denial: " + "pid=" + pid + ", uid=" + uid);
    }
}

The issue here is that the input validation procedure is inadequate, as it only checks for the "INTERACT_ACROSS_USERS" permission without properly examining the supplied URI. Consequently, an attacker can exploit this oversight to access any slice URI by manipulating the input parameters.

Exploit details

Exploiting this vulnerability does not require any additional execution privileges or user interaction, making it particularly dangerous, as it can be utilized by malicious apps or rogue processes running on the target device. An attacker can construct a malformed insert code similar to:

try {
    Uri targetSliceUri = Uri.parse("content://com.example.target_app.slice");
    int maliciousUid = getMaliciousUid();
    int maliciousPid = getMaliciousPid();
    sliceManagerService.checkSlicePermission(targetSliceUri, maliciousPid, maliciousUid);
} catch (SecurityException e) {
    // Handle security exception
}

Upon executing the code above, the attacker would be granted unauthorized access to the target slice URI. This attack vector can lead to the compromise of sensitive data or further privilege escalation, depending on the slice content and system configurations.

Official references

- Android Security Bulletin: Android Security Updates
- Android Open Source Project (AOSP) issue tracker: A-179699767

Mitigation

Google has released patches to address this vulnerability in affected Android versions. Device manufacturers have been notified, and it is highly recommended to update your Android devices as soon as possible. Ensure that all the apps installed on your device are downloaded from trusted sources and stay up to date with the latest security news to maintain a high level of protection against vulnerabilities like CVE-2022-20004.

Conclusion

CVE-2022-20004 is a concerning security vulnerability with the potential to compromise systems running on certain versions of the Android operating system. Proper input validation is crucial for securing sensitive data and system resources. Ensure that you keep your devices updated with the latest security patches to prevent exploitation. Stay vigilant and follow best practices to protect your devices from potential threats and vulnerabilities.

Timeline

Published on: 05/10/2022 20:15:00 UTC
Last modified on: 05/16/2022 16:19:00 UTC