cbcvebase.
CVE-2024-21633
published 2024-01-03

CVE-2024-21633: Apktool is a tool for reverse engineering Android APK files. In versions 2.9.1 and prior, Apktool infers resource files' output path according to their…

PriorityP345high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
1.32%
67.3th percentile
Apktool is a tool for reverse engineering Android APK files. In versions 2.9.1 and prior, Apktool infers resource files' output path according to their resource names which can be manipulated by attacker to place files at desired location on the system Apktool runs on. Affected environments are those in which an attacker may write/overwrite any file that user has write access, and either user name is known or cwd is under user folder. Commit d348c43b24a9de350ff6e5bd610545a10c1fc712 contains a patch for this issue.

Affected

6 ranges
VendorProductVersion rangeFixed in
apktoolapktool< 2.9.22.9.2
apktoolapktool>= 0 < 2.7.0+dfsg-6+deb12u12.7.0+dfsg-6+deb12u1
apktoolapktool>= 0 < 2.7.0+dfsg-72.7.0+dfsg-7
apktoolapktool>= 0 < 2.7.0+dfsg-72.7.0+dfsg-7
debianapktool< apktool 2.7.0+dfsg-6+deb12u1 (bookworm)apktool 2.7.0+dfsg-6+deb12u1 (bookworm)
ibotpeachesapktool<= 2.9.1

Detection & IOCsextracted from sources · hover to see the quote

filenamepoc.apk
url/upload/
pathres/raw/hacked.txt
filenamehacked.txt
bytes
504b03040a00000800009badf658ef61a43018030000180300000e0000007265736f75726365732e61727363
  • Detect path traversal in APK resource names: look for resource file names containing '../' sequences (e.g., '../../../../../../.MobSF/downloads/') within APK zip entries, which are used to escape the output directory during apktool extraction.
  • Monitor POST requests to the MobSF /upload/ endpoint with multipart APK uploads containing the hardcoded hex payload signature starting with 504b03040a00000800009badf658, as the exploit APK embeds a fixed binary payload.
  • RCE can be achieved by overwriting the jadx binary on the MobSF host via the path traversal; monitor for unexpected modifications to the jadx executable path on systems running MobSF.
  • Use FOFA query 'title="MobSF"' to identify exposed MobSF instances that may be targeted by this vulnerability.
  • The exploit APK uses the internal resource name 'fakeapk-slim' and contains a zip entry 'res/raw/hacked.txt' with a traversal path as the app_name; inspect APK zip entry metadata for anomalous app_name values containing path separators.
  • ·The Nuclei template uses a hardcoded static APK hex payload rather than a dynamically generated one, because the exploit is embedded in binary APK/zip format. Detection signatures based on this payload will only match this specific PoC APK and not variants with different traversal targets.
  • ·Exploitation requires the attacker to be able to upload an APK to the MobSF instance (i.e., network access to the upload endpoint), and the impact depends on what files the MobSF process user has write access to on the host.
  • ·The MobSF fix is in commit 19c1b55c2c59596f2d43439926c9dc976cbeaec4; the underlying apktool fix is in commit d348c43b24a9de350ff6e5bd610545a10c1fc712. Both must be addressed — patching only one may leave the system vulnerable.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv7.8HIGH
vendor_debian7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.