Share
## https://sploitus.com/exploit?id=014019EE-0C48-576A-908B-4B1C07A97C50
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CVE-2026-0073 // ADBD BYPASS โ
โ Android ADB Daemon TLS Authentication Bypass PoC โ
โ EVP_PKEY_cmp type confusion exploit โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
# CVE-2026-0073 โ Android ADBD TLS Auth Bypass
### `EVP_PKEY_cmp()` type confusion โ unauthorized ADB shell
[](https://python.org)
[](https://vulners.com/cve/CVE-2026-0073)
[](https://android.com)
[](LICENSE)
---
## ๐ฅ Overview
A **critical authentication bypass** in Android's ADB daemon (`adbd`) allows any attacker on the local network to obtain a **full shell** on a target device **without user authorization**.
The vulnerability exists in `adbd_tls_verify_cert()` within `daemon/auth.cpp`, where `EVP_PKEY_cmp()` is used as a boolean. When the stored key is **RSA** and the presented TLS client certificate carries a **non-RSA key** (EC P-256 or Ed25519), `EVP_PKEY_cmp()` returns **-1** (type mismatch), which is **truthy in C/C++**, so `authorized = true`.
```c
// Vulnerable code pattern in daemon/auth.cpp
if (EVP_PKEY_cmp(peer_key, stored_key)) { // โ BUG: -1 is truthy!
authorized = true;
}
```
| `EVP_PKEY_cmp()` return | Meaning | Truthy in C? | Result |
|:-:|---|:-:|---|
| `1` | Keys match | โ
| Authorized (correct) |
| `0` | Keys differ | โ | Rejected (correct) |
| **`-1`** | **Type mismatch** | **โ
** | **Authorized (BUG)** |
---
## โก Quick Start
### Install dependencies
```bash
pip install cryptography
```
### Run the exploit
```bash
# Interactive shell
python adb_tls_auth_bypass.py
# Single command execution
python adb_tls_auth_bypass.py 192.168.1.42 37521 --cmd "id"
# Verbose mode (see full protocol trace)
python adb_tls_auth_bypass.py 192.168.1.42 37521 -v --cmd "id"
```
### Force a specific key type
```bash
python adb_tls_auth_bypass.py 192.168.1.42 5555 --key-type ec
python adb_tls_auth_bypass.py 192.168.1.42 5555 --key-type ed25519
```
> By default, the script auto-tries **EC P-256 โ Ed25519 โ EC/TLS 1.2** until one succeeds.
---
## ๐ฏ Exploit Flow
```
Attacker Target (adbd)
โ โ
โโโโโ TCP connect โโโโโโโโโโโโโโโโโโโบโ
โโโโโ CNXN (cleartext) โโโโโโโโโโโโโบโ
โโโโโ STLS (TLS upgrade request) โโโ
โโโโโ STLS reply โโโโโโโโโโโโโโโโโโโบโ
โ โ
โโโโโ TLS 1.3 Handshake โโโโโโโโโโโโโ
โ (EC P-256 client cert presented) โ
โ EVP_PKEY_cmp(EC, RSA) โ -1 โ
โ -1 is truthy โ authorized=true โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โ
โโโโโ CNXN (device info) โโโโโโโโโโโ
โโโโโ OPEN "shell:" โโโโโโโโโโโโโโโโบโ
โโโโโ OKAY โโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโบ WRTE/OKAY (shell I/O) โโโโโโโบโ
โ โ
[FULL SHELL ACCESS] โ
```
---
## ๐ Prerequisites
| Requirement | Details |
|---|---|
| **Developer Options** | Enabled on target device |
| **Wireless Debugging** | Enabled (or ADB over TCP on port 5555) |
| **Stored RSA key** | Device must have been USB-paired at least once (`/data/misc/adb/adb_keys`) |
| **Network access** | Attacker must reach the adbd TCP port |
> โ ๏ธ **Important:** The RSA key must be in `/data/misc/adb/adb_keys`, which is populated via **USB debugging pairing** (accepting the "Allow USB debugging?" dialog). Wireless debugging pairing (`adb pair`) stores keys in a **different location** (`adb_known_hosts.pb`) and does NOT satisfy this requirement.
---
## ๐ก๏ธ Affected Versions
- **Android 14** (AOSP) โ โ
Confirmed vulnerable
- **Android 15** (AOSP) โ Likely vulnerable (unpatched builds)
- Vendor-specific builds may vary (Samsung One UI, Pixel, etc.)
### How to check the patch level
```bash
adb shell getprop ro.build.version.security_patch
```
---
## ๐งช Testing Environment
Tested and confirmed working on:
```
Kernel: 6.1.23-android14-4-00257-g7e35917775b8-ab9964412
Platform: Android 14 (Android Studio Emulator)
```
---
## ๐ง Improvements Over Original
This fork includes several enhancements:
- โ
**Multi-key fallback** โ Auto-tries EC P-256 โ Ed25519 โ EC/TLS 1.2
- โ
**Ed25519 support** โ Alternative key type for broader compatibility
- โ
**TLS 1.2 fallback** โ Different client cert flow (sent during handshake vs post-handshake)
- โ
**Enhanced certificate** โ Proper X.509 extensions (BasicConstraints, KeyUsage)
- โ
**Windows compatible** โ Uses threaded I/O instead of `select()` for cross-platform support
- โ
**Increased timeouts** โ Better reliability on slower networks
- โ
**Verbose diagnostics** โ Detailed protocol trace with `-v` flag
---
## ๐ Project Structure
```
CVE-2026-0073-Android-ADBD-bypass-POC/
โโโ adb_tls_auth_bypass.py # Main exploit script
โโโ README.md # This file
```
---
## โ ๏ธ Disclaimer
This tool is provided for **authorized security testing and educational purposes only**. Unauthorized access to computer systems is illegal. Always obtain proper authorization before testing. The author assumes no liability for misuse of this software.
---
## ๐ References
- [CVE-2026-0073 โ MITRE](https://vulners.com/cve/CVE-2026-0073)
- [Android Security Bulletin](https://source.android.com/docs/security/bulletin)
- [OpenSSL `EVP_PKEY_cmp` documentation](https://www.openssl.org/docs/man3.0/man3/EVP_PKEY_cmp.html)
- [ADB Protocol Reference](https://android.googlesource.com/platform/packages/modules/adb/+/refs/heads/main/protocol.txt)
---
**If this helped your research, drop a โญ**