search

michalbednarski / LeakValue

Exploit for CVE-2022-20452, privilege escalation on Android from installed app to system app (or another app) via LazyValue using Parcel after recycle()
272 stars 47 forks source link

NoSuchMethodException #3

Open youyudekucaizi opened 1 year ago

youyudekucaizi commented 1 year ago

When I pressed the start button after the app is installed, it will prompt "java.lang.NoSuchMethodException: android.media.session.ISession$Stub$Proxy.getBinderForSetQueue []" error. I found the exact code is:mGetBinderForSetQueue = mMediaSessionBinder.getClass().getMethod("getBinderForSetQueue"); I use android api 32, how to solve this problem? Also I found the MediaSession class only contains the setQueue method which will call getBinderForSetQueue method. Any advice will be greatly appreciated

youyudekucaizi commented 1 year ago

My Android version is 10

michalbednarski commented 1 year ago

This is exploit for vulnerability introduced on Android 13 so there isn't point in running this on older version

The getBinderForSetQueue() (internal) method itself was introduced in Android 12

(but still this won't work on Android 12 because LazyValue didn't exist there (LazyValue isn't explicitly listed by name, it is structure of serialized data)

youyudekucaizi commented 1 year ago

got it, thanks

Ko-Hi-Dev commented 1 year ago

This is exploit for vulnerability introduced on Android 13 so there isn't point in running this on older version

The getBinderForSetQueue() (internal) method itself was introduced in Android 12

(but still this won't work on Android 12 because LazyValue didn't exist there (LazyValue isn't explicitly listed by name, it is structure of serialized data)

The exploit

CVE-2022-20474 A-240138294 [2] EoP High 10, 11, 12, 12L, 13

Any chance to get it working ? Or is it used on this release

michalbednarski commented 1 year ago

The LazyValue was introduced in Android 13, but lets explain that version list

That row comes from security bulletin

CVE References Type Severity Updated AOSP versions
CVE-2022-20474 A-240138294 [2] EoP High  10, 11, 12, 12L, 13

Note that last column is called "Updated AOSP versions", not "Affected". In this case distinction matters because in references column we have two links to patches

  1. The patch for issue itself. This can only be applied to Android 13
  2. General mitigation against Bundle-mismatch vulnerability class. This could be applied (possibly with adaptations) to all listed Android versions (and also earlier versions, but these are not supported anymore)