[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-80879":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":17,"stars30d":18,"stars90d":15,"forks30d":15,"starsTrendScore":19,"compositeScore":20,"rankGlobal":10,"rankLanguage":10,"license":10,"archived":21,"fork":21,"defaultBranch":22,"hasWiki":21,"hasPages":21,"topics":23,"createdAt":10,"pushedAt":10,"updatedAt":28,"readmeContent":29,"aiSummary":30,"trendingCount":15,"starSnapshotCount":15,"syncStatus":31,"lastSyncTime":32,"discoverSource":33},80879,"poc-CVE-2026-0073","adityatelange\u002Fpoc-CVE-2026-0073","adityatelange","CVE-2026-0073 - ADB Wireless Mutual Authentication Bypass PoC","https:\u002F\u002Fbarghest.asia\u002Fblog\u002Fcve-2026-0073-adb-tls-auth-bypass\u002F",null,"Python",41,11,34,0,3,6,7,9,49.94,false,"main",[24,25,26,27],"android","cve-2026-0073","may-2026","rce","2026-06-12 04:01:30","# CVE-2026-0073 PoC (Wireless ADB TLS Auth Bypass)\n\nThis directory contains a Python proof of concept for CVE-2026-0073.\n\n> The script is generated using AI-assisted code generation techniques.\n\n## Summary\n\nCVE-2026-0073 is a logic issue in ADB daemon certificate verification (`adbd_tls_verify_cert` in `auth.cpp`).\nThe vulnerable check treats any non-zero return from `EVP_PKEY_cmp(...)` as a successful match.\n\nExpected comparison result handling should be:\n\n- `1` = keys match\n- `0` = keys do not match\n- negative values = error \u002F unsupported comparison\n\nIn vulnerable builds, negative values are treated as truthy and can incorrectly mark a certificate as authorized.\n\n## What `poc-cve-2026-0073.py` does\n\nThe script:\n\n1. Creates a non-RSA client certificate (`ec` or `ed25519`).\n2. Connects to the target ADB TCP service.\n3. Performs CNXN -> STLS -> TLS handshake flow.\n4. Authenticates via the vulnerable certificate comparison path.\n5. Opens a command service (`shell:` with `exec:` fallback).\n6. Prints command output.\n\n## Requirements\n\n- Python 3.10+ (recommended)\n- `cryptography` package\n- Wireless ADB enabled on target\n- Network reachability to target ADB port\n- Testing authorization for the target device\n\nInstall dependency:\n\n```bash\npip install cryptography\n```\n\n## Usage\n\nDiscover target ADB service (if needed):\n\n```bash\nadb mdns services\n```\n\nRun the PoC:\n\n```bash\npython3 poc-cve-2026-0073.py \u003Ctarget_ip> [port] [command] [key_type] [--verbose]\n```\n\nArguments:\n\n- `target_ip`: Target Android device IP address\n- `port`: ADB port (default: `5555`)\n- `command`: Command to execute (default: `id`)\n- `key_type`: `ec` or `ed25519` (default: `ec`)\n- `--verbose`: Enable protocol debug logs\n\nExamples:\n\n```bash\npython3 poc-cve-2026-0073.py 192.168.1.100 5555 id\npython3 poc-cve-2026-0073.py 192.168.1.100 5555 whoami ec --verbose\npython3 poc-cve-2026-0073.py 192.168.1.100 5555 getprop ed25519\n```\n\n## Typical successful output\n\n```text\n[*] Opening service: 'shell:id'\n[*] After OPEN, received: OKAY  arg0=2  data=b''\n[+] Stream open (local_id=1, remote_id=2)\n\n[+] Command output:\n----------------------------------------\nuid=2000(shell) gid=2000(shell) ...\n----------------------------------------\n\n[+] Exploitation successful.\n```\n\n## Troubleshooting\n\n- `Connection refused`\n  - Wireless ADB may be disabled.\n  - Wrong target IP\u002Fport.\n\n- `certificate_unknown`\n  - Device likely patched for this issue.\n  - Or target has no eligible trusted key state for this auth path.\n\n- Timeout waiting for responses\n  - Confirm network path and target ADB socket availability.\n  - Retry with `--verbose` for packet-level traces.\n\n## Notes on patch level checks\n\nBase OS security patch level and Mainline module patching can differ.\nA device can show an older monthly SPL while receiving newer ADB module fixes.\n\nUseful checks:\n\n```bash\nadb shell getprop ro.build.version.security_patch\nadb shell pm list packages --apex-only | grep adbd\nadb shell dumpsys package com.google.android.adbd | grep -E \"versionCode|versionName|lastUpdateTime\"\n```\n\n## Responsible use\n\nUse this PoC only in authorized environments (owned lab devices, explicit permission, or sanctioned testing).\nDo not run this against systems you do not own or do not have written authorization to test.\n\n## References\n\n- Android Security Bulletin (May 2026)\n- NVD entry for CVE-2026-0073\n- AOSP ADB sources (`daemon\u002Fauth.cpp`)\n","该项目提供了一个针对CVE-2026-0073漏洞的Python概念验证脚本，该漏洞存在于ADB无线认证过程中，允许绕过TLS证书验证。其核心功能包括生成非RSA类型的客户端证书、连接目标设备上的ADB服务并利用漏洞进行认证，最终执行远程命令。技术特点上，它依赖于Python 3.10及以上版本和`cryptography`库，并要求目标设备开启了无线ADB功能。适用于安全研究人员在受控环境下测试特定Android设备的安全性，以评估是否易受此逻辑错误的影响。",2,"2026-06-11 04:02:39","CREATED_QUERY"]