Exploit app for CVE-2022-20494, a high severity permanent denial-of-service vulnerability that leverages Android's DND (Do not disturb) feature# CVE-2022-20494
[Download as APK](https://github.com/Supersonic/CVE-2022-20494/releases/download/release/ZenRulePDoS.apk)
This app demonstrates a high severity permanent denial-of-service vulnerability in Android's `NotificationManagerService` that I discovered. After running the exploit, the device show a black screen or it will keep repeatedly crashing and rebooting.
It exploits the `addAutomaticZenRule` API to exhaust device memory, by crafting malicious zen rules (a.k.a. do not disturb rules) that occupy a large amount of memory. The app allows you to control the size and the amount of rules added: the predefined amount should work in almost all devices.
The app targets API 24 (Android 7.0 Nougat) but may not work in devices prior to Android Q, due to changes to the zen rule structure. It also requires the dangerous-level permission `ACCESS_NOTIFICATION_POLICY` to work; the app will request it upon launch.
The vulnerability was fixed - along with many other bugs in the same subsystem - in [Jan 2023 Android Security Bulletin](https://source.android.com/docs/security/bulletin/2023-01-01) by [trimming long strings](https://android.googlesource.com/platform/frameworks/base/+/de172ba0d434c940be9e2aad8685719731ab7da2) within `AutomaticZenRule` constructors. (both normal and parcel serialization related constructors)
If you have ADB access, devices bricked due to this bug may potentially be recovered by running the following ADB command.
```
adb uninstall me.sithi.cve_2022_20494
```
Note that this project is provided for educational purposes only; please don't use it for malicious activities.
[4.0K] /data/pocs/4f35b29dbd063a32030afc45c5cc49e60ad9882b
├── [4.0K] app
│ ├── [1.2K] build.gradle
│ ├── [ 750] proguard-rules.pro
│ └── [4.0K] src
│ └── [4.0K] main
│ ├── [1.1K] AndroidManifest.xml
│ ├── [4.0K] java
│ │ └── [4.0K] me
│ │ └── [4.0K] sithi
│ │ └── [4.0K] cve_2022_20494
│ │ └── [1.7K] MainActivity.kt
│ └── [4.0K] res
│ ├── [4.0K] drawable
│ │ └── [5.5K] ic_launcher_background.xml
│ ├── [4.0K] drawable-v24
│ │ └── [1.7K] ic_launcher_foreground.xml
│ ├── [4.0K] layout
│ │ └── [2.6K] activity_main.xml
│ ├── [4.0K] mipmap-anydpi-v26
│ │ ├── [ 343] ic_launcher_round.xml
│ │ └── [ 343] ic_launcher.xml
│ ├── [4.0K] mipmap-hdpi
│ │ ├── [2.8K] ic_launcher_round.webp
│ │ └── [1.4K] ic_launcher.webp
│ ├── [4.0K] mipmap-mdpi
│ │ ├── [1.7K] ic_launcher_round.webp
│ │ └── [ 982] ic_launcher.webp
│ ├── [4.0K] mipmap-xhdpi
│ │ ├── [3.8K] ic_launcher_round.webp
│ │ └── [1.9K] ic_launcher.webp
│ ├── [4.0K] mipmap-xxhdpi
│ │ ├── [5.8K] ic_launcher_round.webp
│ │ └── [2.8K] ic_launcher.webp
│ ├── [4.0K] mipmap-xxxhdpi
│ │ ├── [7.6K] ic_launcher_round.webp
│ │ └── [3.8K] ic_launcher.webp
│ ├── [4.0K] values
│ │ ├── [ 147] colors.xml
│ │ ├── [ 66] dimens.xml
│ │ ├── [ 76] strings.xml
│ │ └── [ 443] themes.xml
│ ├── [4.0K] values-land
│ │ └── [ 66] dimens.xml
│ ├── [4.0K] values-night
│ │ └── [ 345] themes.xml
│ ├── [4.0K] values-v29
│ │ └── [ 473] themes.xml
│ ├── [4.0K] values-w1240dp
│ │ └── [ 67] dimens.xml
│ ├── [4.0K] values-w600dp
│ │ └── [ 66] dimens.xml
│ └── [4.0K] xml
│ ├── [ 478] backup_rules.xml
│ └── [ 551] data_extraction_rules.xml
├── [ 309] build.gradle
├── [4.0K] gradle
│ └── [4.0K] wrapper
│ ├── [ 58K] gradle-wrapper.jar
│ └── [ 235] gradle-wrapper.properties
├── [1.3K] gradle.properties
├── [5.6K] gradlew
├── [2.7K] gradlew.bat
├── [ 34K] LICENSE
├── [1.6K] README.md
└── [ 347] settings.gradle
26 directories, 39 files