Share
## https://sploitus.com/exploit?id=EC970BDC-C657-5C32-B394-1A23DB70C00F
# ๐Ÿ”“ CVE-2026-0073: Android adbd Authentication Bypass

> **Proof of Concept for the Wireless ADB TLS Auth Bypass vulnerability.**
> *Discovered by Barghest, PoC by SecTestAnnaQuinn.*

![Banner](./header.png)

## ๐Ÿ“‹ Overview

CVE-2026-0073 is a critical logic vulnerability in the Android Debug Bridge daemon (`adbd`) that allows an unauthenticated attacker on the same network to obtain a remote shell as the `shell` user.

The flaw lies in the `adbd_tls_verify_cert()` function within `daemon/auth.cpp`. The code incorrectly handles the return value of `EVP_PKEY_cmp()` during TLS client certificate validation.

### The Mechanics
When a client connects via Wireless ADB, a mutual TLS handshake occurs. The device compares the client's public key against stored authorized keys.
- If the stored key is **RSA** and the client presents an **EC** (Elliptic Curve) key, `EVP_PKEY_cmp()` returns `-1` (type mismatch).
- In C/C++, `-1` is truthy.
- The logic treats any non-zero value as a successful match โ†’ **Authentication Bypass**.

---

## ๐Ÿš€ Impact

- **Zero-Click:** No user interaction, prompts, or pairing codes required (if at least one key was previously paired).
- **Remote Access:** Full `shell` user access over the network.
- **Scope:** Android 14, 15, 16 (pre-May 2026 patch).

---

## ๐Ÿ› ๏ธ Requirements

- **Wireless Debugging** or **ADB-over-TCP** enabled.
- Target device must have been **paired at least once** (existence of `/data/misc/adb/adb_keys`).
- **Same Local Network** access.

---

## ๐Ÿƒ Usage

1. **Install dependencies:**
   ```bash
   pip install cryptography
   ```

2. **Run the exploit:**
   ```bash
   # Single command
   python adb_tls_auth_bypass.py   --cmd "id"
   
   # Interactive shell
   python adb_tls_auth_bypass.py  
   ```

---

## ๐Ÿ›ก๏ธ Mitigation

- Update to the **May 2026** security patch level (2026-05-01 or later).
- Disable **Wireless Debugging** when not in use.
- Revoke authorized keys in Developer Options regularly.

---

## โš–๏ธ Legal Disclaimer

This repository is for **educational and authorized security testing purposes only**. Unauthorized access to computer systems is illegal. The author assumes no liability for misuse of this information.