Android Studio Privilege Escalation

Credit: houjingyi
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-264

Video and POC here : When you open a project in android studio, if set distributionUrl=https\:// <>, then android studio will download and extract, jar file in this zip will be executed by java.exe. There is a plexus-interpolation-1.14.jar in gradle-2.6\lib\plugins and we can find source code here : <> in plexus-interpolation-1.14-sources\org\codehaus\plexus\interpolation\os\ we can find code like: exec( "cmd.exe /c set" ); "C:\Program Files\Android\Android Studio\bin\studio64.exe" created "C:\Program Files\Android\Android Studio\jre\bin\java.exe" and java.exe is running under project directory. So if there is a cmd.exe in project directory it will be executed. Attacker can send a malicious project to victim to get remote code execution. Timeline Nov 25, 2020 : reported to google VRP Nov 25, 2020 : confirm received Nov 26, 2020 : triaged Nov 28, 2020 : "this might not be severe enough to qualify for a reward, though the panel will take a look at the next meeting and we'll update you once we've got more information" Dec 16, 2020 : "We have notified the team about this issue, they will review your report and decide whether they want to make a change or not. Thanks for letting us know. Regarding our Vulnerability Reward Program, the panel decided this issue's security impact does not meet the criteria to qualify for a reward in the program, so we won't be issuing a reward at this time" Dec 16, 2020 : asked why no bounty for this Dec 16, 2020 : "Opening untrusted code with IDEs is just inherently insecure. You have to trust the code you open in an IDE. We could add a modal dialog warning after opening any project that you should only open trusted projects, but developers are aware of this already. For example, practically all build system allows executing code if an attacker controls the config files, and that's something that can't be fixed and everyone knows it. And if you open a project in an IDE, you'll most likely want to build it" This is ridiculous. I replied : "If this happens on Xcode or Visual Studio, I will agree with you. But this is android studio, and apk cannot just run on PC. Also the malicious code execute when open the project, do not require take any other actions like build or debug. In my poc every file just looks normal not suspicious except the cmd.exe, which attacker can also set it attribute to hidden. From a developer's point of view, no one will believe open a project in android studio cause malicious code execute on PC" google replied : "Android vs desktop IDE doesn't make much difference I think. I wouldn't run a malicious APK in the android studio emulator, since it is not a security boundary. Also, I wouldn't assume that the build system works very differently for building an APK than building an EXE file. And all projects are built upon opening, it is a prerequisite for making essential features of the IDE work" I knew I cannot persuade google give me bounty so I asked for public disclosure, and google agreed. Now I want to explain why I think this is a serious problem also the reason why google refused to give me bounty is ridiculous again. *1.except cmd.exe everything else are just normal files.* *2.cmd.exe will be executed after open the project, do not require take any other actions like build or debug.* *3.even if you open and build a project like source code of some android malware, apk cannot run on PC, it cannot affect your PC. This is very different from Xcode or Visual Studio.* Last time I reported LPE in another google desktop product and they said : "As a part of our Vulnerability Reward Program, we decided that it does not meet the bar for a financial reward, but we would like to acknowledge your contribution to Google security in our Hall of Fame". I did not complain. Now same thing just happen again even I found RCE. So F*** ridiculous to hear something like this, yes, it is a vaild vulnerability but we just do not want to pay even reward amounts for your vulnerability are listed in F*** you google.


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021,


Back to Top