Calling getpidcon for One Way Binder Transactions Returns Wrong Security Context

ID AKB:038B624D-9A75-41C5-83D1-3492AA83FBCB
Type attackerkb
Reporter AttackerKB
Modified 2020-02-13T17:12:46


The servicemanager, keystore and drmserver all use getpidcon function to get the security context of the caller from a binder. When combined with a one way binder transaction this results in getting the security context of the current process which might allow a selinux mac bypass.

Recent assessments:

busterb at 2019-05-09T17:57:18.367962Z reported: Unrealistic privilege escalation scenario, fixed in AOSP 2 years ago, but maybe usable in older versions.

Assessed Attacker Value: 1 Assessed Exploitability: 2