Arbitrary File Write On Client By ADB Pull
The Android Debug Bridge, ADB, contains a long-standing vulnerability. It can have a rather severe impact, but only under some pretty unusual circumstances. Tl;dr: Executing an
adb pull command against a malicious Android device or ADB daemon can lead to arbitrary file writes, pretty easily escalating to code execution.
There are three notable pieces worth discussing, when it comes to ADB:
- Device-side ADB server (this runs on your Android device and facilitates debugging, running shells, etc)
- ADB daemon (this runs on your machine on port 5037 and talks to the device side, acting as a dumb proxy)
- ADB client (this talks to the ADB daemon)
We’re going to examine what happens if you run a simple pull command:
adb pull /foo
- The ADB client (hereafter just referred to as
ADB) attempts to connect to localhost:5037
- If it fails to connect, the ADB daemon...
Continue reading →