CVE-2024-21633: Getting RCE on MobSF using Apktool
Introduction
This CVE affects the apktool, which is well-known for its capacity to reverse engineer closed-source, third-party Android apps, which has encountered a roadblock that puts users at serious risk for security breaches. All versions <= 2.9.1 are affected by this vulnerability with a CVSS score of 7.8.
Apktool and MobSF
Apktool and MobSF (Mobile Security Framework) are two powerful tools frequently used in the Android development and security communities.
Apktool:
Apktool is a versatile utility used for reverse engineering and modifying Android application packages (APKs). Developed by XDA Developers member Brut.all, Apktool enables developers to decompile, modify, and recompile APK files. With Apktool, developers can extract resources, modify code, and customize various aspects of Android apps. Its command-line interface offers precise control over the decompilation and recompilation processes, making it a popular choice for app customization and analysis.
MobSF(Mobile Security Framework):
MobSF is a comprehensive open-source framework used for mobile app security assessment. It integrates various security testing tools and techniques into a unified platform, facilitating the analysis of Android and iOS applications. MobSF offers functionalities such as static and dynamic analysis, binary code scanning, and API testing. It helps security researchers and developers identify vulnerabilities, assess the security posture of mobile apps, and ensure compliance with best practices and security standards.
Apktool and MobSF complement each other well in the realm of Android app development and security analysis. Apktool's ability to decompile and modify APK files is utilized within MobSF's framework for deeper analysis of Android applications. MobSF internally used apktool and that is the reason why this exploit is so dangerous. Together, these tools offer a comprehensive approach to Android app development, customization, and security assessment, but if updated can be lethal as an attacker can easily get RCE on the target to extract system information or to even get a shell.
Exploitation and Technical aspects of the vulnerability
For demo purposes MobSF v3.7.6 and apktool v2.9.0 were used, you can also download and run MobSF locally and use the above-mentioned apktool version to create a payload apk file.
Apktool is actually meant for local use only and it helps in assembly and disassembly of APK files. With Apktool, users may reconstruct resources after making changes and decode them to almost their original state.This makes apktool a very important and useful tool for both developers and security professionals.
When a user uploads a file to MobSF, the mobile application is decompiled using the well-known Apktool, which starts an extensive security analysis. In addition to Apktool, other tools are integrated in this process, such the skilled Java decompiler jadx. To enable thorough examination, Jadx is essential in translating intricate Java bytecode back into legible source code.
Apktool will target the resources.arsc file during the decompilation process. This file is an essential component that contains compiled resources utilized by the application, including pictures, layout definitions, and strings. To view the whole list of resource files utilized in the mobile application, Apktool downloads this file. Three essential components help identify each resource file:
- An identifier
- The file’s name
- The file’s path within the APK
An attacker can add and edit the resource file to achieve path traversal which will eventually trigger RCE when the file is uploaded on MobSF.
Steps to create a payload (malicious app):
- Select any app and decompile it using apktool:We used this app for the PoC
- Create a new raw resource with the file named jadx
$ mkdir app/res/raw
$ nano app/res/raw/jadx
- Enter your payload that you want to execute (below is an example):
- Recompile the app to generate resources.arsc file
- Decompile the compiled.apk file to recover the resources.arsc file
- Use this ARSC Editor, to edit the resources.arsc file. Use this: java -jar ArscEditor-1.0.2-all.jar command to run the editor
- Change the file name to : ../../../../../../Mobile-Security-Framework-MobSF/mobsf/StaticAnalyzer/tools/jadx/bin/jadx (as you can see in above screenshot)
- Save and replace the existing resources.arsc file with modified resources.arsc file keeping the name same.
- Build the application with apktool to get final payload
Now the payload app is ready and to exploit upload this file on MobSF and wait for the pingback (An example is shown below):
Mitigation:
- For Mitigation just use the version 2.9.2 or higher because a patch was released in this version for apktool.
- And in addition to that also use the up to date version of MobSF as well.
- Don’t expose your MobSF instance on the internet if you intend to use it internally.
References: