CVE-2024-21633
published 2024-01-03CVE-2024-21633: Apktool is a tool for reverse engineering Android APK files. In versions 2.9.1 and prior, Apktool infers resource files' output path according to their…
PriorityP345high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
1.32%
67.3th percentile
Apktool is a tool for reverse engineering Android APK files. In versions 2.9.1 and prior, Apktool infers resource files' output path according to their resource names which can be manipulated by attacker to place files at desired location on the system Apktool runs on. Affected environments are those in which an attacker may write/overwrite any file that user has write access, and either user name is known or cwd is under user folder. Commit d348c43b24a9de350ff6e5bd610545a10c1fc712 contains a patch for this issue.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apktool | apktool | < 2.9.2 | 2.9.2 |
| apktool | apktool | >= 0 < 2.7.0+dfsg-6+deb12u1 | 2.7.0+dfsg-6+deb12u1 |
| apktool | apktool | >= 0 < 2.7.0+dfsg-7 | 2.7.0+dfsg-7 |
| apktool | apktool | >= 0 < 2.7.0+dfsg-7 | 2.7.0+dfsg-7 |
| debian | apktool | < apktool 2.7.0+dfsg-6+deb12u1 (bookworm) | apktool 2.7.0+dfsg-6+deb12u1 (bookworm) |
| ibotpeaches | apktool | <= 2.9.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
filenamepoc.apk
url/upload/
pathres/raw/hacked.txt
filenamehacked.txt
bytes
504b03040a00000800009badf658ef61a43018030000180300000e0000007265736f75726365732e61727363
- →Detect path traversal in APK resource names: look for resource file names containing '../' sequences (e.g., '../../../../../../.MobSF/downloads/') within APK zip entries, which are used to escape the output directory during apktool extraction. ↗
- →Monitor POST requests to the MobSF /upload/ endpoint with multipart APK uploads containing the hardcoded hex payload signature starting with 504b03040a00000800009badf658, as the exploit APK embeds a fixed binary payload.
- →RCE can be achieved by overwriting the jadx binary on the MobSF host via the path traversal; monitor for unexpected modifications to the jadx executable path on systems running MobSF.
- →Use FOFA query 'title="MobSF"' to identify exposed MobSF instances that may be targeted by this vulnerability.
- →The exploit APK uses the internal resource name 'fakeapk-slim' and contains a zip entry 'res/raw/hacked.txt' with a traversal path as the app_name; inspect APK zip entry metadata for anomalous app_name values containing path separators.
- ·The Nuclei template uses a hardcoded static APK hex payload rather than a dynamically generated one, because the exploit is embedded in binary APK/zip format. Detection signatures based on this payload will only match this specific PoC APK and not variants with different traversal targets.
- ·Exploitation requires the attacker to be able to upload an APK to the MobSF instance (i.e., network access to the upload endpoint), and the impact depends on what files the MobSF process user has write access to on the host. ↗
- ·The MobSF fix is in commit 19c1b55c2c59596f2d43439926c9dc976cbeaec4; the underlying apktool fix is in commit d348c43b24a9de350ff6e5bd610545a10c1fc712. Both must be addressed — patching only one may leave the system vulnerable.
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv7.8HIGH
vendor_debian7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2024-21633: Apktool is a tool for reverse engineering Android APK files
osv·2024-01-03·CVSS 7.8
CVE-2024-21633 [HIGH] CVE-2024-21633: Apktool is a tool for reverse engineering Android APK files
Apktool is a tool for reverse engineering Android APK files. In versions 2.9.1 and prior, Apktool infers resource files' output path according to their resource names which can be manipulated by attacker to place files at desired location on the system Apktool runs on. Affected environments are those in which an attacker may write/overwrite any file that user has write access, and either user name is known or cwd is under user folder. Commit d348c43b24a9de350ff6e5bd610545a10c1fc712 contains a patch for this issue.
Debian
CVE-2024-21633: apktool - Apktool is a tool for reverse engineering Android APK files. In versions 2.9.1 a...
vendor_debian·2024·CVSS 7.8
CVE-2024-21633 [HIGH] CVE-2024-21633: apktool - Apktool is a tool for reverse engineering Android APK files. In versions 2.9.1 a...
Apktool is a tool for reverse engineering Android APK files. In versions 2.9.1 and prior, Apktool infers resource files' output path according to their resource names which can be manipulated by attacker to place files at desired location on the system Apktool runs on. Affected environments are those in which an attacker may write/overwrite any file that user has write access, and either user name is known or cwd is under user folder. Commit d348c43b24a9de350ff6e5bd610545a10c1fc712 contains a patch for this issue.
Scope: local
bookworm: resolved (fixed in 2.7.0+dfsg-6+deb12u1)
bullseye: open
forky: resolved (fixed in 2.7.0+dfsg-7)
sid: resolved (fixed in 2.7.0+dfsg-7)
trixie: resolved (fixed in 2.7.0+dfsg-7)
No detection rules found.
Nuclei
MobSF - Path Traversal
nuclei·CVSS 7.8
CVE-2024-21633 [HIGH] MobSF - Path Traversal
MobSF - Path Traversal
MobSF is vulnerable to an issue with apktool (CVE-2024-21633) that allows for RCE or arbitrary file writing. It does this through a path traversal vulnerability. This template tests for it by writing to a local file and reading that file. RCE can be achieved by overwriting jadx, as shown in the two POCs listed as references. The payload for this template exists inside the binary format of an APK, which is a zip file. This means that a hardcoded random hex string is checked for, rather than a standard dynamic random string.
Template:
id: CVE-2024-21633
info:
name: MobSF - Path Traversal
author: Will Mccardell
severity: high
description: |
MobSF is vulnerable to an issue with apktool (CVE-2024-21633) that allows for RCE or arbitrary file writing. It does this throu
No writeups or analysis indexed.
https://github.com/iBotPeaches/Apktool/commit/d348c43b24a9de350ff6e5bd610545a10c1fc712https://github.com/iBotPeaches/Apktool/security/advisories/GHSA-2hqv-2xv4-5h5whttps://github.com/iBotPeaches/Apktool/commit/d348c43b24a9de350ff6e5bd610545a10c1fc712https://github.com/iBotPeaches/Apktool/security/advisories/GHSA-2hqv-2xv4-5h5w
2024-01-03
Published