APKLeaks’ maintainers have corrected a major vulnerability that may be used to execute arbitrary code remotely.
APKLeaks is open-source software developed by Indonesian security engineer Dwi Siswanto for analyzing Android application package (APK) files for URLs, endpoints, and secrets. FirmwareDroid, a backend solution for Android firmware analysis, makes use of the app.
According to a security advisory released on GitHub on January 21, the software’s maintainers claimed the security weakness “allows remote authenticated attackers to execute arbitrary OS commands via [the] package name inside application manifest.”
“An attacker could include arguments that allow unintended commands or code to be executed, allow sensitive data to be read or modified or could cause other unintended behavior through malicious package name,” the alert goes on.
CVE-2021-21386 has been assigned a CVSS severity value of 9.3, up from a previous CVSS score of 7.3. The weakness is defined as an inappropriate neutralization of argument delimiters. The severe security flaw was discovered by developer ‘RyotaK‘ on March 19, 2021, and it involves a failure to guard against attackers supplying parameters that might trigger “unintended” instructions, remotely executing malware, or accessing or interfering with sensitive data.
The report also warns that attackers may use a malicious package name to carry out the additional undesired activity. There was no need for authentication to exploit the vulnerability. However, a fix issued with APKLeaks version 2.0.3 to address the weakness did not entirely repair the problem. According to RyotaK, the 2.0.4 patch fixed the problem in the program’s development branch, while v2.0.6-dev fixed the issue in the program’s master branch.
There was no response when reached out to the project’s developers with additional queries. A reply is still awaited to provide further updates.