Android devices have had multiple CVE findings through the past few years which enable an individual to bypass the lock screen and obtain unauthorized access or escalation of privilege. For example, CVE-2015–3860 is a previously identified CVE that utilizes the emergency dialer and camera processes to stage a buffer overflow like scenario on the pin entry of the lock screen. The buffer overflow scenario then crashes one or more processes associated with the lock screen to expose the owner’s home screen. More information on CVE-2015–3860 can be found at this link CVE-2015–3860.
In concept, CVE-2022–20006 is similar to previous lock screen bypass CVE findings in that it attempts to exploit or force unexpected behavior from processes that are not directly related to the lock screen processes, but are accessible while the device is in a lock state. The processes exploited by CVE-2022–20006 are related to the multi-user feature of the Android operating system. Android’s multi-user feature is useful in normal circumstances if the device is meant to be shared by several individuals. Each user can have their own profile on the device as well as applications and configurations tailored to unique needs or roles. However, the multi-user feature has some interesting behavior when transitioning between user profiles. That user transition is where CVE-2022–20006 is made possible.
The following requirements must be met in order for CVE-2022–20006 to be exploited.
- Physical access to the device.
- Android version 10, 11, or 12 with security patch levels older than June 5, 2022.
- 3-button navigation via System>Accessibility>System Controls
- The lock screen must be enabled via Settings>Screen Lock for the target user profile
a. Screen lock set to anything other than None.
- Enable the multi-user feature via Settings>System>Multiple Users
a. Ensure there are at least two users defined and enabled.
b. One user must have a screen lock setting configured and will serve as the target user.
c. For easier exploitation, I recommend the second user be a simple guest account with no lock screen.
Note: I have personally tested this CVE on Google Pixel XL, Pixel 2, and Pixel 3 devices as well as a few emulated devices running Android 10 and Android 11. The CVE appears to be easier to perform on devices with lower specification processors and RAM. Google has confirmed the CVE to be applicable to the Android OS and not specifically the devices I’ve tested. With that said, results may vary.
Assuming the pre-requisites have been met, we can begin exploiting the multi-user feature with the following steps.
- While at the lock screen, expand the notification tray and click the user selection menu icon.
2. Switch to an available unlocked or guest user profile.
3. Once in the guest profile, open the user selection menu from the notification tray as done in step one. Identify the target user profile which is protected by the lock screen feature but do not click the user icon until the next step.
4. Click the target user and simultaneously begin rapidly and repeatedly tapping the home button. The faster the repetition of the home button, the better.
a. The screen will appear frozen with the “switching to user” message, but if you have haptic feedback enabled, you will feel the device vibrate with every press as if the device is still receiving and handling input. There will be a moment during the transition where the vibration feedback stops. You can stop pressing the home button at that time.
b. It may take 2 or 3 attempts of step 4 for the lock screen bypass to occur. After each attempt you will likely notice an increased latency in input and transition to the target user profile. You may also notice sensitive information now revealed in the lock screen notification tray.
c. If successful, you will be presented with the target users home screen and able to navigate and access anything in that target user profile for a limited time(typically 5–30 seconds) prior to the lock screen finally showing and locking you out of the user profile.
5. Though constrained to a 5–30 second window of access, it is difficult but possible to take additional actions to obtain unlimited access to the previously restricted user profile. For example, changes can be made the target user screen lock setting, stage and install a malicious APK under the target user profile, enable Developer mode and USB debugging, create your own admin privileged account, etc.
The following screen recording shows a successful attempt of CVE-2022–20006 at the 00:45 time mark. Video is located at CVE-2022–20006.
CVE-2022–20006 results from events stacking in queue for processing on the main thread of Android’s system UI. This event queue creates a type of race condition between events and impedes important security processes such as those associated with the lock screen Keyguard. Without prioritization, events are addressed as quickly as the processor can perform and doesn’t appear to be handled as first in, first out. This processing issue is exacerbated by devices with lower specifications for CPU and RAM resulting in more significant windows of possible unauthorized access.
Google has published mitigations in the June2022 Security Patch with priority for specific lock events to prevent this scenario from occurring. The June2022 Security Patch is deployed through Build SQ3A.220605.009.A1 and SQ3A.220605.009.B1, depending on device model. Patch notes and instructions for updating devices can be found at Android June 2022 Security Bulletin.
Additional information regarding mitigations implemented by Google’s Android development team can be found at Google Android GIT CVE-2022–20006 Mitigation.