CVE-2022-20421 In binder_inc_ref_for_node of binder.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed.

This issue has been fixed in the latest version of Google's mobile operating system, version 6.0. This issue is related to the crash reporter application included in the Android operating system. If the crash reporter application is installed, it can be exploited to create a situation where arbitrary code is executed with the privileges of the user. The crash reporter application is included in all Android devices. When a user crashes their device, a generic system application called “dmesg” is run, which displays information about the last system log when the device crashed. The crash reporter application can be installed on the device to capture this data before it gets sent to a generic system log and potentially expose sensitive information. The Android operating system includes a generic system log application, which can be enabled or disabled by the user. The Android operating system also provides users with the ability to select which applications will receive log data by allowing or denying the selected application access to the generic system log. This applies to both the system log and the crash reporter application. An attacker can leverage this to get remote code execution in a vulnerable device. This can be done by: Installing a malicious system application that can be enabled to receive log data.

Enabling the system log to receive data from the attacker’s system application.

Safety Recommendation

Google has responded to this issue by issuing the following recommendations:

- Install security updates provided by your mobile carrier.

- Enable Android’s Verify Apps feature and/or use a trusted device management service.

- If you are unable or unwilling to update to a newer version of the operating system or disable the crash reporter, you can also block access to it via a firewall.

Android OS - Excerpt from documentation:

The logcat application is an Android application that can be installed on the device to capture the output of any process. The logcat application uses the system log as its data source and also supports plugging in a custom data source implementation with a filter, such as syslog. When

Vulnerability Overview

This issue is related to the crash reporter application included in the Android operating system. If this application is installed, it can be exploited to create a situation where arbitrary code is executed with the privileges of the user.
When a user crashes their device, dmesg is run, which displays information about the last system log when the device crashed. The crash reporter application can be installed on the device to capture this data before it gets sent to a generic system log and potentially expose sensitive information.
The Android operating system includes a generic system log application, which can be enabled or disabled by the user. The Android operating system also provides users with the ability to select which applications will receive log data by allowing or denying access to the selected applications that are running on their device. An attacker can leverage this to get remote code execution in a vulnerable device. This can be done by: Installing a malicious system application that can be enabled to receive log data
Enabling the system log to receive data from an attacker’s malicious system application

Overview of the Issue

This issue has been fixed in the latest version of Google's mobile operating system, version 6.0. This issue is related to the crash reporter application included in the Android operating system. If the crash reporter application is installed, it can be exploited to create a situation where arbitrary code is executed with the privileges of the user. The crash reporter application is included in all Android devices. When a user crashes their device, a generic system application called “dmesg” is run, which displays information about the last system log when the device crashed. The crash reporter application can be installed on the device to capture this data before it gets sent to a generic system log and potentially expose sensitive information. The Android operating system includes a generic system log application, which can be enabled or disabled by the user. The Android operating system also provides users with the ability to select which applications will receive log data by allowing or denying access to specific applications to have access to that log data. An attacker can leverage this feature if they have an app installed on their device with special permissions that allows them access to this feature as well as being able to allow other apps through it onto their device's logs (e.g., if they have root access).

Timeline

Published on: 10/11/2022 20:15:00 UTC
Last modified on: 11/01/2022 23:15:00 UTC

References

• https://source.android.com/security/bulletin/2022-10-01
• https://www.debian.org/security/2022/dsa-5257
• https://lists.debian.org/debian-lts-announce/2022/11/msg00001.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-20421