CVE-2022-20453 - How a Simple Path Traversal Bug in MmsProvider.java Can Jam Your SIM Card (Android 10–13 Exploit Deep Dive)

---

What Is CVE-2022-20453?

CVE-2022-20453 is a security vulnerability discovered in multiple Android versions (10 through 13) that quietly disables your SIM card’s ability to function. The core problem is a path traversal flaw in MmsProvider.java—the Android component that handles multimedia messages (MMS).

With this bug, apps with no special permissions can mess up internal directory permissions if a user interacts with them. The result: your device can’t recognize your SIM card, causing local denial of service (DoS).

This article explains how this bug works, shows code snippets, and gives practical exploitation details.

Reference Links

- NIST National Vulnerability Database Entry (CVE-2022-20453)
- Google Android Security Bulletin
- Android Open Source Commit Fix

The Root Cause: Path Traversal in MmsProvider

In MmsProvider.java, the code handling files failed to properly validate file paths. It trusted input, letting users—via apps or user interaction—navigate directories or change permissions in places they shouldn’t (a "path traversal" attack).

A malicious app could send specially crafted paths like ../../../../data/misc/... and trick the system into applying directory permissions on critical locations.

Simplified Vulnerable Code

public ParcelFileDescriptor openFile(Uri uri, String mode) throws FileNotFoundException {
    // ...snip...
    String filePath = uri.getPath();
    File file = new File(filePath);

    // NO CHECK for '..' or external access
    ParcelFileDescriptor pfd = ParcelFileDescriptor.open(file, ParcelFileDescriptor.MODE_READ_ONLY);
    return pfd;
}

The lack of input filtering means filePath could point to any directory, not just the intended MMS storage location.

Exploitation Details

Threat Model:  
- Prerequisites: The attacker must get a user to interact with a malicious app (user taps or opens something).

Craft a Malicious App

- App imitates a media manager and lets the user “import” custom MMS files, using a modified path (like ../../data/misc/telephony/...).

Trigger the Vulnerable Code

- When user selects a specific file, the app sends a URI with directory traversal (..) as part of its file path.

Directory Permissions Get Restricted

- MmsProvider receives and processes the path, unknowingly changing permissions on the system directory.

DoS: SIM Not Recognized

- The next time the device tries to access your telecom information, it fails due to restricted permissions.

Here’s a pseudocode workflow of how a malicious intent could work

Intent intent = new Intent(Intent.ACTION_VIEW);
intent.setData(Uri.parse("content://mms/../../data/misc/telephony/siminfo"));
startActivity(intent);
// This causes MmsProvider to process the wrong directory due to path traversal

User Interaction Example:

The user thinks they're opening an MMS attachment.

- The malicious app actually passes a content:// URI with a deeply nested .. path.

Denial of Service (DoS):

- The primary damage is denial of SIM recognition. Your device loses cellular connectivity, and you may not even know why.

Scope:

- It affects Android 10, 11, 12, 12L, and 13, running stock or OEM firmware that hasn’t been patched.

Persistence:

- The attack persists until the device’s restricted folders are fixed or the settings/data are reset.

Mitigation & Patch

Patched Behavior:  
New code in MmsProvider.java checks any file path for traversal attempts; if .. or an absolute path is detected, the operation is denied.

String canonicalPath = file.getCanonicalPath();
// Make sure it's under the MMS directory
if (!canonicalPath.startsWith("/data/user_de//com.android.providers.telephony")) {
    throw new SecurityException("Path traversal detected!");
}

How to Stay Safe:

Update your Android device! Security patches after October 2022 include this fix.

- Avoid installing media/message manager apps from outside the Play Store.

Conclusion

CVE-2022-20453 shows how a relatively simple oversight—failing to sanitize user input—can lead to hard-to-diagnose problems like a phone that loses SIM recognition. This bug, now patched in Android, should remind both developers and users that even small mistakes can have a big, surprising impact.

References

- Google Android Security Bulletin, Nov 2022
- NIST NVD: CVE-2022-20453
- Git Commit Fix in AOSP

Timeline

Published on: 11/08/2022 22:15:00 UTC
Last modified on: 11/09/2022 16:28:00 UTC