CVE-2022-20451 - Android Permissions Bypass Vulnerability in CallsManager.java onCallRedirectionComplete

In recent developments within the Android ecosystem, there has been a discovery of a vulnerability that could potentially lead to a local escalation of privilege. This security flaw, dubbed CVE-2022-20451, stems from a missing permission check within the onCallRedirectionComplete function of the CallsManager.java file.

This blog post aims to provide an exclusive, detailed rundown of this vulnerability, complete with code snippets, links to original references, and explanations regarding the exploit.

The Vulnerability: CVE-2022-20451

The CVE-2022-20451 vulnerability can be exploited under specific circumstances, where the attacker manages to bypass permissions due to the absence of a proper permission check within the onCallRedirectionComplete function. This could lead to a local escalation of privilege with no additional execution privileges needed. However, it is important to note that user interaction is required for the exploit to be successful.

Android 13

The Android ID for this vulnerability is A-235098883.

A Look at the Code

Below is an example of a code snippet containing the vulnerable function in the CallsManager.java file:

public class CallsManager {
    ...
    private void onCallRedirectionComplete(Call call) {
        if (call.getGatewayInfo() != null) {
            // Add the gateway phone account to the account list.
            ParcelableCallUtils.PhoneAccountHandleParcelable gatewayAccountHandle =
                    new ParcelableCallUtils.PhoneAccountHandleParcelable(
                            call.getGatewayInfo().getGatewayProvider());
            List<ParcelableCallUtils.PhoneAccountHandleParcelable> accounts =
                    mCallAudioRouteStateMachine.getCurrentAudioRoute().getAvailableAccounts();
            accounts.add(, gatewayAccountHandle);
            mCallAudioRouteStateMachine.getCurrentAudioRoute().setAvailableAccounts(accounts);
        }
        ...
    }
    ...
}

In the code snippet above, we can see that the function onCallRedirectionComplete does not perform a permission check before executing the rest of the code.

Exploit Details

In order to exploit this vulnerability, an attacker would first need to convince the user to interact with a malicious application or link. Once the user initiates the interaction, the exploit will attempt to bypass the missing permission check in onCallRedirectionComplete, potentially escalating privileges on the local device without needing to obtain additional execution privileges.

This exploit is particularly concerning as it could be used by attackers to gain unauthorized access to sensitive user data, execute malicious code, or manipulate the device in other unwanted ways.

Mitigation and Recommendations

Google has yet to release a patch for this vulnerability, so users are encouraged to exercise caution when interacting with unverified applications or links. Additionally, users should keep their devices up-to-date with the latest Android security patches and monitor any announcements from Google regarding this issue.

For more information on this vulnerability and to stay updated on any developments, refer to the following resources:

- Android Open Source Project (AOSP)
- CVE-2022-20451 - National Vulnerability Database (NVD)
- Android Security Bulletin

In conclusion, while CVE-2022-20451 is a concerning vulnerability that could lead to local escalation of privilege on affected Android devices, users can take steps to minimize risk by remaining vigilant in their interactions with applications and links, as well as staying informed on any updates from Google regarding this security flaw.

Timeline

Published on: 11/08/2022 22:15:00 UTC
Last modified on: 11/09/2022 14:17:00 UTC