CVE-2022-20115 - Information Disclosure in Android TelephonyRegistry: Exploiting BroadcastServiceStateChanged Vulnerability for Base Station Information

A recent security vulnerability, identified as CVE-2022-20115, has been found in the Android TelephonyRegistry that could potentially allow an attacker to gather base station information without the proper location permissions. This vulnerability specifically exists in the broadcastServiceStateChanged() method, and when exploited, can permit unauthorized access to locally stored information.

This long-read post will provide an in-depth analysis of the vulnerability, including relevant code snippets, original reference links, and details on how the exploit occurs.

Code Snippet

The affected method can be found within the TelephonyRegistry.java file. Below is a simplified version of the code related to the broadcastServiceStateChanged() function, demonstrating what's occurring in the process:

private void broadcastServiceStateChanged(ServiceState state, int phoneId) {
    Intent intent = new Intent(TelephonyManager.ACTION_SERVICE_STATE_CHANGED);
    intent.addFlags(Intent.FLAG_RECEIVER_REGISTERED_ONLY_BEFORE_BOOT | Intent.FLAG_RECEIVER_INCLUDE_BACKGROUND);
    intent.putExtra(PhoneConstants.STATE_KEY, state);
    intent.putExtra(PhoneConstants.PHONE_KEY, phoneId);

    mContext.sendBroadcastAsUser(intent, UserHandle.ALL);
}

As seen in the code snippet, the broadcastServiceStateChanged() function creates a new Intent object to broadcast changes in the service state. The intent is then sent through a call to mContext.sendBroadcastAsUser(intent, UserHandle.ALL);

The original references and resources regarding the vulnerability are provided below

1. Android Security Bulletin for Android 12 and Android 12L: https://source.android.com/security/bulletin/pixel/2023-02-01
2. Android Open Source Project (AOSP) issue tracker: https://issuetracker.google.com/issues/210118427
3. CVE Details: https://www.cvedetails.com/cve/CVE-2022-20115/

Exploit Details

An attacker who gains user execution privileges can exploit this vulnerability to access sensitive information without permission. The missing permission check in the broadcastServiceStateChanged method allows the attacker to listen for changes in the Service State without requesting location permissions in their application.

The exploit can be carried out in the following steps

1. Obtain user execution privileges: The attacker needs to have user execution privileges on the Android device to execute their malicious application.

2. Listening for service state changes: The attacker's application registers a BroadcastReceiver to capture any intents sent by the TelephonyRegistry broadcast.

BroadcastReceiver serviceStateReceiver = new BroadcastReceiver() {
    @Override
    public void onReceive(Context context, Intent intent) {
         // Process the received service state information.
    }
};

IntentFilter intentFilter = new IntentFilter(TelephonyManager.ACTION_SERVICE_STATE_CHANGED);
context.registerReceiver(serviceStateReceiver, intentFilter);

3. Processing service state information: When the BroadcastReceiver receives the intent containing the Service State change information, the attacker's application can extract the base station information from the intent and use it for malicious purposes.

Conclusion

In conclusion, the Android CVE-2022-20115 vulnerability has brought attention to the issue of unauthorized access to sensitive base station information due to a missing permission check in the TelephonyRegistry's broadcastServiceStateChanged() method. This long-read post provided a detailed analysis of the vulnerability, its code, and exploitation process. Android has since addressed this issue in their Android 12 and Android 12L security updates. It is essential to maintain the most current security updates to avoid potential data breaches or unauthorized access to private information.

Timeline

Published on: 05/10/2022 20:15:00 UTC
Last modified on: 05/16/2022 15:31:00 UTC