In late 2022, a critical local privilege escalation was uncovered in Android’s telecom subsystem. Tracked as CVE-2022-20451, this vulnerability relates to the missing permission checks in the onCallRedirectionComplete method of the CallsManager.java file. Let’s break down the issue, demonstrate a simplified exploitation scenario, and point you to authoritative references.
Pre-requisite: User interaction required
- Android Security Bulletin: Android ID A-235098883
- CVE page: NVD - CVE-2022-20451
How the Vulnerability Works
Android’s CallsManager handles phone call logic, including redirection (when one app wants to hand off a call to another, like spam filtering). Normally, sensitive operations in this path should be protected by permission checks—otherwise, rogue local apps can abuse system-privileged functionality.
The Problem:
In the onCallRedirectionComplete() method, a necessary permission check is missing. Without this check, a less-privileged app can use specially crafted intents and user interaction to abuse call redirection, gaining access to protected features or information.
Here’s a simplified snippet similar to what was originally vulnerable in CallsManager.java
// Pseudo-code for onCallRedirectionComplete method
public void onCallRedirectionComplete(Call call, Uri handle) {
// ...some code
// !! Vulnerablity: No permission check here !!
call.setHandle(handle);
// Attacker can set arbitrary call handles without having proper permissions
// ...rest of logic
}
What’s missing?
A check like this should have been present
if (!hasRequiredPermission(callingPackage)) {
throw new SecurityException("Missing required permission");
}
Exploitation Scenario
Let’s walk through a possible local exploit path:
Attacker App Prepares an Intent:
The malicious app crafts an intent mimicking a legitimate call redirection outcome and targets the vulnerable API.
User Interaction:
The exploit does require some user action—like answering or interacting with a fake call or permission dialog.
Ignored Permission:
The system fails to check if the calling app actually holds android.permission.MANAGE_OWN_CALLS or similar.
Privilege Escalation:
Upon receiving a call redirection completion, CallsManager sets up the call as requested, possibly exposing call metadata or escalating permissions to the malicious app.
Here’s conceptual code showing how a malicious component might interact
// Malicious app code example
Intent intent = new Intent();
intent.setAction("com.android.server.telecom.CALL_REDIRECTION_COMPLETE");
intent.setData(Uri.parse("tel:123456789")); // or any arbitrary handle
// Launch intent, possibly requiring some form of user interaction
context.sendBroadcast(intent); // or startActivity depending on the exposed interface
*Note: The actual available API surface may differ, as some methods are protected by signature permissions in the production builds.*
Real-World Impact
- Attack Vectors: A rogue local app could redirect calls, access call metadata, or interfere with telecom operations, escalating privileges within the system.
Patch Reference
The patch commit adds robust permission checking to onCallRedirectionComplete, blocking unauthorized access.
Android Security Bulletin (Nov 2022):
https://source.android.com/docs/security/bulletin/2022-11-01
Google’s AOSP Patch:
https://android.googlesource.com/platform/packages/services/Telecomm/+/b760a6d84e2e324eda56d7b6c8ea7c1ff25e2a%5E%21/
National Vulnerability Database (NVD):
https://nvd.nist.gov/vuln/detail/CVE-2022-20451
Takeaways
- ALWAYS validate permissions before performing sensitive operations—especially in system services.
Timeline
Published on: 11/08/2022 22:15:00 UTC
Last modified on: 11/09/2022 14:17:00 UTC