Exploit for Incorrect Implementation of Authentication Algorithm in Google Android CVE-2026-0073

## https://sploitus.com/exploit?id=20557F2C-42AE-5B1F-BCF0-6B6EBE49885A
# CVE-2026-0073 – Android ADBD TLS Authentication Bypass

### `EVP_PKEY_cmp()` Type Confusion → Unauthorized ADB Shell Access

[![Python 3.10+](https://img.shields.io/badge/Python-3.10+-3776AB?style=for-the-badge&logo=python&logoColor=white)](https://python.org)  
[![CVE-2026-0073](https://img.shields.io/badge/CVE--2026--0073-CRITICAL-DC3545?style=for-the-badge)](https://vulners.com/cve/CVE-2026-0073)  
[![Android](https://img.shields.io/badge/Android-14+-3DDC84?style=for-the-badge&logo=android&logoColor=white)](https://android.com)  
[![License](https://img.shields.io/badge/License-MIT-yellow?style=for-the-badge)](License)

---

## 🔥 Overview

There is a **critical authentication bypass** vulnerability in the Android ADB daemon (`adbd`), allowing any attacker on the local network to obtain **full shell** access to the target device**, **without requiring user authorization**. The vulnerability resides in the `adbd_tls_verify_cert()` function in the `daemon/auth.cpp` file, where `EVP_PKEY_cmp()` is used as a boolean value. When the stored key is a **RSA** key, and the provided TLS client certificate contains a **non-RSA key** (e.g., EC P-256 or Ed25519), `EVP_PKEY_cmp()` returns **-1** (type mismatch), which is considered **true** in **C/C++**. Thus, `authorized = true`.  
Example:
```c
// Vulnerable code snippet in daemon/auth.cpp
if (EVP_PKEY_cmp(peer_key, stored_key)) { // ← BUG: -1 is true! Authorized = true;
}
```
| `EVP_PKEY_cmp()` Return Value | Meaning | True in C? | Result |
| --- | --- | --- | --- |
| `1` | Key matches | ✅ | Authorized (correct) |
| `0` | Keys differ | ❌ | Denied (correct) |
| `-1` | Type mismatch | **✅** | Authorized (buggy) |

---

## ⚡ Quick Start

### Install Dependencies

```bash
pip install cryptography
```

### Run the Exploit

```bash
# Interactive shell
python adb_tls_auth_bypass.py

# Single command execution
python adb_tls_auth_bypass.py 192.168.1.42 37521 --cmd "id"

# Detailed mode (view full protocol trace)
python adb_tls_auth_bypass.py 192.168.1.42 37521 -v --cmd "id"
```

### Force Use Specific Key Types

```bash
python adb_tls_auth_bypass.py 192.168.1.42 5555 --key-type ec
python adb_tls_auth_bypass.py 192.168.1.42 5555 --key-type ed25519
```

> By default, the script will automatically try **EC P-256 → Ed25519 → EC/TLS 1.2** until success. ---

## 🎯 Exploitation Process

```
Attacker targets the adbd process
      │
│──── TCP connection ──────────────────►│
│──── CNXN (plaintext) ─────────────►│
│◄─── STLS (TLS upgrade request)──│
│──── STLS reply ──────────────────►│
      │
│════ TLS 1.3 handshake ════════════│
│ (EC P-256 client certificate submitted)│
```

│ EVP_PKEY_cmp(EC, RSA) → -1 │
│ -1 is true → authorized=true │
      │════════════════════════════════════│
      │                                    │
│◄─── CNXN (Device Information)──────────│
│──── Open “shell:” ───────────────►│
│◄─── Okay ────────────────────────│
│◄──► WRTE/OKAY (Shell I/O)──────►│
      │                                    │
【Full Shell Access】`

---

## 📋 Prerequisites

| Requirement | Details |
|---|---|
| **Developer Options** | Enabled on the target device |
| **Wireless Debugging** | Enabled (or using ADB via TCP port 5555) |
| **Stored RSA Key** | The device must have been paired at least once via USB (`/data/misc/adb/adb_keys`) |
| **Network Access** | The attacker must have access to the adbd TCP port |

⚠️ **Note:** The RSA key must be located in the `/data/misc/adb/adb_keys` file. This file is populated through **USB debugging pairing** (accepting the “Allow USB debugging?” dialog). Wireless debugging pairing (`adb pair`) stores the key in a **different location** (`adb_known_hosts.pb`), thus it does not meet this requirement. ---

## 🛡️ Affected Versions

- **Android 14** (AOSP) — ✅ Vulnerability confirmed
- **Android 15** (AOSP) — Vulnerabilities may exist in unpatched versions
- Versions from different manufacturers may vary (e.g., Samsung One UI, Pixel, etc.). ### How to check patch level

```bash
adb shell getprop ro.build.version.security_patch
```

---

## 🧪 Test Environment

Tested to work correctly on the following devices:

```
Kernel: 6.1.23-android14-4-00257-g7e35917775b8-ab9964412
Platform: Android 14 (Android Studio emulator)
```

---

## 🔧 Improvements over the original version

This branch includes the following improvements:

- ✅ **Multi-key fallback** — Automatically tries EC P-256 → Ed25519 → EC/TLS 1.2
- ✅ **Ed25519 Support** — Provides a more widely compatible alternative key type
- ✅ **TLS 1.2 Fallback** — Different client certificate processes (sent during handshake vs. after handshake)
- ✅ **Enhanced Certificates** — Correct X.509 extensions (BasicConstraints, KeyUsage)
- ✅ **Windows Compatibility** — Uses thread I/O instead of `select()` for cross-platform support
- ✅ **Increased Timeout** — Provides higher reliability on slower networks
- ✅ **Detailed Diagnostic Information** — Displays detailed protocol trace information with the `-v` flag

---

## 📁 Project Structure

```
CVE-2026-0073-Android-ADBD-bypass-POC/
├── adb_tls_auth_bypass.py # Main vulnerability exploitation script
└── README.md # This file
```

---

## ⚠️ Disclaimer

This tool is intended only for **authorized security testing and education purposes**. Unauthorized access to computer systems is illegal. Please obtain proper authorization before testing. The author assumes no responsibility for misuse of this software. ---

## 📚 References

- [CVE-2026-0073 — MITRE](https://vulners.com/cve/CVE-2026-0073)
- [Android Security Bulletins](https://source.android.com/docs/security/bulletin)
- [OpenSSL `EVP_PKEY_cmp` Documentation](https://www.openssl.org/docs/man3.0/man3/EVP_PKEY_cmp.html)
- [ADB Protocol Reference](https://android.googlesource.com/platform/packages/modules/adb/+/refs/heads/main/protocol.txt)

---

**If this helps you, please give it a like ⭐**