Share
## https://sploitus.com/exploit?id=014019EE-0C48-576A-908B-4B1C07A97C50
```
  โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
  โ•‘              CVE-2026-0073  //  ADBD BYPASS              โ•‘
  โ•‘    Android ADB Daemon TLS Authentication Bypass PoC      โ•‘
  โ•‘          EVP_PKEY_cmp type confusion exploit              โ•‘
  โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
```

# CVE-2026-0073 โ€” Android ADBD TLS Auth Bypass

### `EVP_PKEY_cmp()` type confusion โ†’ unauthorized ADB shell

[![Python 3.10+](https://img.shields.io/badge/Python-3.10+-3776AB?style=for-the-badge&logo=python&logoColor=white)](https://python.org)
[![CVE-2026-0073](https://img.shields.io/badge/CVE--2026--0073-CRITICAL-DC3545?style=for-the-badge)](https://vulners.com/cve/CVE-2026-0073)
[![Android](https://img.shields.io/badge/Android-14+-3DDC84?style=for-the-badge&logo=android&logoColor=white)](https://android.com)
[![License](https://img.shields.io/badge/License-MIT-yellow?style=for-the-badge)](LICENSE)



---

## ๐Ÿ”ฅ Overview

A **critical authentication bypass** in Android's ADB daemon (`adbd`) allows any attacker on the local network to obtain a **full shell** on a target device **without user authorization**.

The vulnerability exists in `adbd_tls_verify_cert()` within `daemon/auth.cpp`, where `EVP_PKEY_cmp()` is used as a boolean. When the stored key is **RSA** and the presented TLS client certificate carries a **non-RSA key** (EC P-256 or Ed25519), `EVP_PKEY_cmp()` returns **-1** (type mismatch), which is **truthy in C/C++**, so `authorized = true`.

```c
// Vulnerable code pattern in daemon/auth.cpp
if (EVP_PKEY_cmp(peer_key, stored_key)) {  // โ† BUG: -1 is truthy!
    authorized = true;
}
```

| `EVP_PKEY_cmp()` return | Meaning | Truthy in C? | Result |
|:-:|---|:-:|---|
| `1` | Keys match | โœ… | Authorized (correct) |
| `0` | Keys differ | โŒ | Rejected (correct) |
| **`-1`** | **Type mismatch** | **โœ…** | **Authorized (BUG)** |

---

## โšก Quick Start

### Install dependencies

```bash
pip install cryptography
```

### Run the exploit

```bash
# Interactive shell
python adb_tls_auth_bypass.py  

# Single command execution
python adb_tls_auth_bypass.py 192.168.1.42 37521 --cmd "id"

# Verbose mode (see full protocol trace)
python adb_tls_auth_bypass.py 192.168.1.42 37521 -v --cmd "id"
```

### Force a specific key type

```bash
python adb_tls_auth_bypass.py 192.168.1.42 5555 --key-type ec
python adb_tls_auth_bypass.py 192.168.1.42 5555 --key-type ed25519
```

> By default, the script auto-tries **EC P-256 โ†’ Ed25519 โ†’ EC/TLS 1.2** until one succeeds.

---

## ๐ŸŽฏ Exploit Flow

```
   Attacker                          Target (adbd)
      โ”‚                                    โ”‚
      โ”‚โ”€โ”€โ”€โ”€ TCP connect โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บโ”‚
      โ”‚โ”€โ”€โ”€โ”€ CNXN (cleartext) โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บโ”‚
      โ”‚โ—„โ”€โ”€โ”€ STLS (TLS upgrade request) โ”€โ”€โ”‚
      โ”‚โ”€โ”€โ”€โ”€ STLS reply โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บโ”‚
      โ”‚                                    โ”‚
      โ”‚โ•โ•โ•โ• TLS 1.3 Handshake โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ”‚
      โ”‚  (EC P-256 client cert presented)  โ”‚
      โ”‚  EVP_PKEY_cmp(EC, RSA) โ†’ -1       โ”‚
      โ”‚  -1 is truthy โ†’ authorized=true   โ”‚
      โ”‚โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ”‚
      โ”‚                                    โ”‚
      โ”‚โ—„โ”€โ”€โ”€ CNXN (device info) โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”‚
      โ”‚โ”€โ”€โ”€โ”€ OPEN "shell:" โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บโ”‚
      โ”‚โ—„โ”€โ”€โ”€ OKAY โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”‚
      โ”‚โ—„โ”€โ”€โ–บ WRTE/OKAY (shell I/O) โ”€โ”€โ”€โ”€โ”€โ”€โ–บโ”‚
      โ”‚                                    โ”‚
    [FULL SHELL ACCESS]                    โ”‚
```

---

## ๐Ÿ“‹ Prerequisites

| Requirement | Details |
|---|---|
| **Developer Options** | Enabled on target device |
| **Wireless Debugging** | Enabled (or ADB over TCP on port 5555) |
| **Stored RSA key** | Device must have been USB-paired at least once (`/data/misc/adb/adb_keys`) |
| **Network access** | Attacker must reach the adbd TCP port |

> โš ๏ธ **Important:** The RSA key must be in `/data/misc/adb/adb_keys`, which is populated via **USB debugging pairing** (accepting the "Allow USB debugging?" dialog). Wireless debugging pairing (`adb pair`) stores keys in a **different location** (`adb_known_hosts.pb`) and does NOT satisfy this requirement.

---

## ๐Ÿ›ก๏ธ Affected Versions

- **Android 14** (AOSP) โ€” โœ… Confirmed vulnerable
- **Android 15** (AOSP) โ€” Likely vulnerable (unpatched builds)
- Vendor-specific builds may vary (Samsung One UI, Pixel, etc.)

### How to check the patch level

```bash
adb shell getprop ro.build.version.security_patch
```

---

## ๐Ÿงช Testing Environment

Tested and confirmed working on:

```
Kernel:   6.1.23-android14-4-00257-g7e35917775b8-ab9964412
Platform: Android 14 (Android Studio Emulator)
```

---

## ๐Ÿ”ง Improvements Over Original

This fork includes several enhancements:

- โœ… **Multi-key fallback** โ€” Auto-tries EC P-256 โ†’ Ed25519 โ†’ EC/TLS 1.2
- โœ… **Ed25519 support** โ€” Alternative key type for broader compatibility
- โœ… **TLS 1.2 fallback** โ€” Different client cert flow (sent during handshake vs post-handshake)
- โœ… **Enhanced certificate** โ€” Proper X.509 extensions (BasicConstraints, KeyUsage)
- โœ… **Windows compatible** โ€” Uses threaded I/O instead of `select()` for cross-platform support
- โœ… **Increased timeouts** โ€” Better reliability on slower networks
- โœ… **Verbose diagnostics** โ€” Detailed protocol trace with `-v` flag

---

## ๐Ÿ“ Project Structure

```
CVE-2026-0073-Android-ADBD-bypass-POC/
โ”œโ”€โ”€ adb_tls_auth_bypass.py    # Main exploit script
โ””โ”€โ”€ README.md                 # This file
```

---

## โš ๏ธ Disclaimer

This tool is provided for **authorized security testing and educational purposes only**. Unauthorized access to computer systems is illegal. Always obtain proper authorization before testing. The author assumes no liability for misuse of this software.

---

## ๐Ÿ“š References

- [CVE-2026-0073 โ€” MITRE](https://vulners.com/cve/CVE-2026-0073)
- [Android Security Bulletin](https://source.android.com/docs/security/bulletin)
- [OpenSSL `EVP_PKEY_cmp` documentation](https://www.openssl.org/docs/man3.0/man3/EVP_PKEY_cmp.html)
- [ADB Protocol Reference](https://android.googlesource.com/platform/packages/modules/adb/+/refs/heads/main/protocol.txt)

---



**If this helped your research, drop a โญ**