diff --git a/src/mobile-pentesting/android-app-pentesting/intent-injection.md b/src/mobile-pentesting/android-app-pentesting/intent-injection.md index 94e3d22878c..5864ffa4044 100644 --- a/src/mobile-pentesting/android-app-pentesting/intent-injection.md +++ b/src/mobile-pentesting/android-app-pentesting/intent-injection.md @@ -53,6 +53,63 @@ Mitigations - Only enable JavaScript after all checks pass and just before loading trusted content. - Avoid exposing bridges to untrusted origins. +## Unity Runtime: Intent-to-CLI extras → pre-init native library injection (RCE) + +Unity-based Android apps typically use `com.unity3d.player.UnityPlayerActivity` (or `UnityPlayerGameActivity`) as the entry Activity. Unity’s Android template treats a special Intent extra named `unity` as a string of command-line flags for the Unity runtime. When the entry Activity is exported (default in many templates), any local app – and sometimes a website if `BROWSABLE` is present – can supply this extra. + +A dangerous, undocumented flag leads to native code execution during very early process initialization: + +- Hidden flag: `-xrsdk-pre-init-library ` +- Effect: `dlopen(, RTLD_NOW)` very early in init, loading attacker-controlled ELF inside the target app’s process with its UID and permissions. + +Reverse-engineering excerpt (simplified): +```c +// lookup the arg value +initLibPath = FUN_00272540(uVar5, "xrsdk-pre-init-library"); +// load arbitrary native library early +lVar2 = dlopen(initLibPath, 2); // RTLD_NOW +``` + +Why it works +- The Intent extra `unity` is parsed into Unity runtime flags. +- Supplying the pre-init flag points Unity at an attacker-controlled ELF path within an allowed linker namespace path (see constraints below). + +Conditions for exploitation +- The Unity entry Activity is exported (commonly true by default). +- For one-click remote via browser: the entry Activity also declares `android.intent.category.BROWSABLE` so extras can be passed from an `intent:` URL. + +Local exploitation (same device) +1) Place a payload ELF at a path readable by the victim app. Easiest: ship a malicious library in your own attacker app and ensure it is extracted under `/data/app/.../lib//` by setting in the attacker’s manifest: +```xml + +``` +2) Launch the victim’s Unity activity with the CLI pre-init flag in the `unity` extra. Example ADB PoC: +```bash +adb shell am start \ + -n com.victim.pkg/com.unity3d.player.UnityPlayerActivity \ + -e unity "-xrsdk-pre-init-library /data/app/~~ATTACKER_PKG==/lib/arm64/libpayload.so" +``` +3) Unity calls `dlopen("/data/.../libpayload.so", RTLD_NOW)`; your payload runs in the victim process, inheriting all its app permissions (camera/mic/network/storage, etc.) and access to in-app sessions/data. + +Notes +- The exact `/data/app/...` path varies across devices/installs. An attacker app can retrieve its own native lib dir at runtime via `getApplicationInfo().nativeLibraryDir` and communicate it to the trigger. +- The file need not end with `.so` if it is a valid ELF – `dlopen()` cares about ELF headers, not extensions. + +Remote one‑click via browser (conditional) +If the Unity entry activity is exported with `BROWSABLE`, a website can pass extras via an `intent:` URL: +```text +intent:#Intent;package=com.example.unitygame;scheme=whatever;\ +S.unity=-xrsdk-pre-init-library%20/data/local/tmp/malicious.so;end; +``` +However, on modern Android the dynamic linker namespaces and SELinux block loading from many public paths (e.g., `/sdcard/Download`). You’ll see errors like: +``` +library "/sdcard/Download/libtest.so" ("/storage/emulated/0/Download/libtest.so") needed +or dlopened by "/data/app/.../lib/arm64/libunity.so" is not accessible for the +namespace: [name="clns-...", ... permitted_paths="/data:/mnt/expand:/data/data/com.example.unitygame"] +``` +Bypass strategy: target apps that cache attacker-controlled bytes under their private storage (e.g., HTTP caches). Because permitted paths include `/data` and the app’s private dir, pointing `-xrsdk-pre-init-library` at an absolute path inside the app’s cache can satisfy linker constraints and yield code execution. This mirrors prior cache-to-ELF RCE patterns experienced in other Android apps. + + ## Other classic Intent injection primitives - startActivity/sendBroadcast using attacker-supplied `Intent` extras that are later re-parsed (`Intent.parseUri(...)`) and executed. @@ -219,5 +276,9 @@ Mitigations (developer checklist) - [CVE-2022-36837 – CVE.org](https://www.cve.org/CVERecord?id=CVE-2022-36837) - [CVE-2021-4438 – NVD](https://nvd.nist.gov/vuln/detail/CVE-2021-4438) - [CVE-2020-14116 – NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-14116) +- [CVE-2025-59489 – Arbitrary Code Execution in Unity Runtime (blog)](https://flatt.tech/research/posts/arbitrary-code-execution-in-unity-runtime/) +- [Unity docs – Android custom activity command-line](https://docs.unity3d.com/6000.0/Documentation/Manual/android-custom-activity-command-line.html) +- [Unity Security Sept-2025-01 advisory](https://unity.com/security/sept-2025-01) +- [HEXACON talk – Messenger one-click cache-based RCE pattern (slides)](https://www.hexacon.fr/slides/Calvanno-Defense_through_Offense_Building_a_1-click_Exploit_Targeting_Messenger_for_Android.pdf) -{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/android-checklist.md b/src/mobile-pentesting/android-checklist.md index 0b4da25ef1d..198e51e5355 100644 --- a/src/mobile-pentesting/android-checklist.md +++ b/src/mobile-pentesting/android-checklist.md @@ -29,6 +29,7 @@ - [ ] Check if the application is in debug mode and try to "exploit" it - [ ] Check if the APK allows backups - [ ] Exported Activities + - [ ] Unity Runtime: exported UnityPlayerActivity/UnityPlayerGameActivity with a `unity` CLI extras bridge. Test `-xrsdk-pre-init-library ` for pre-init `dlopen()` RCE. See [Intent Injection → Unity Runtime](android-app-pentesting/intent-injection.md). - [ ] Content Providers - [ ] Exposed services - [ ] Broadcast Receivers @@ -75,4 +76,8 @@ - [ ] [Read here](android-app-pentesting/index.html#obfuscating-deobfuscating-code) -{{#include ../banners/hacktricks-training.md}} +## References + +- [CVE-2025-59489 – Arbitrary Code Execution in Unity Runtime (blog)](https://flatt.tech/research/posts/arbitrary-code-execution-in-unity-runtime/) + +{{#include ../banners/hacktricks-training.md}} \ No newline at end of file