When I first stumbled across Android4 on VulnHub it immediately struck me as unique in that it was an Android phone emulator touted as a vulnerable VM. While that in of itself is unique, the VM itself really is no different than any other *NIX vulnerable VM as Android is just an OS based on the Linux Kernel. Keeping that in mind, I booted it up and dove in.
The first thing I did was of course, nmap. My findings were pretty underwhelming.
An http-proxy service running on port 8080 and a service running on port 5555 called “freeciv”. My first thought was to check out the web service on 8080 but after running a fuzz test on it as well as nikto, and getting some false positives, I decided to navigate to the page itself and see if there was potentially any vulnerabilities in the source code. The web page consisted of a few lines of HTML, and said something written in broken English about a back door. The page also mentioned something about POST requests. But post requests to what page? The web page had no forms, nowhere where a user was entering any data nor were there any functions in the page that were visibly passing data to the back end. Using the web dev tools of my browser as well as a a proxy that intercepted all my requests to the page before forwarding them I determined that there really were no other requests being made when I loaded the page besides the one requesting the root directory itself. No exploitable JS objects, no weird network calls, nothing. So the service on port 8080 was a dead end (please leave a comment if you found a way to leverage this service!).
Next up was the service on port 5555, I first googled the name of the service as it was unfamiliar to me and found that freeciv is actually a video game for android phones. Searching for exploits relating to it was fruitless. However, searches related to “Android port 5555 exploit” did yield promising results. As it turns out, some Android phones have been shipping recently with a feature called Android Debug Bridge that runs on port 5555. This feature enables users to remotely connect to the service from any device and after doing so are given access to tools including a Unix Shell. This is great for developers as it is sort of like remotely booting into the device at run level 1, so if you accidentally bricked your device and the GUI is no longer functional you can still access it and potentially reverse the damage. The bad news here is that this service allows you to access the device as root, as I soon found out. I did not have adb installed on my Kali VM, but I quickly did so with a simple apt-get install adb. And then connected to the “Phone” via “abd connect 192.168.1.10:5555” and then, “adb shell” where I was met with a strange looking shell.
Since my reading said this service allows you to run as root I simply typed “su” and boom, root shell. A quick “cat /data/root/Flag.txt” and I was met with
ANDROID{u_GOT_root_buddy}
Sweet!
But what is the underlying message here really? Well, had someone had this enabled like it was here, I could have done the same thing provided I had a laptop on me, this could have been a huge problem in a public place could you imagine how much havoc you could wreak in a coffee shop with a few people who had this enabled on their phones unknowingly? The solution is clear, disable this feature unless you need it! Details can be found here on how to do it.
Thanks for reading! Follow me on twitter SamSepi0l
