Apktool Vulnerability Allows Attackers to Write Files to Desired Locations on User's System
CVE-2024-21633

7.8HIGH

Key Information:

Vendor: Ibotpeaches
Status: Apktool
Vendor: CVE Published:; 3 January 2024

🔔 Create Ibotpeaches Vulnerability Alert

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 80%

What is CVE-2024-21633?

Apktool, a widely used tool for reverse engineering Android APK files, is susceptible to a file manipulation vulnerability in versions 2.9.1 and earlier. The tool infers output paths for resource files based on their names, leading to a scenario where an attacker could manipulate these names to write or overwrite files in directories where the user has write access. This vulnerability is particularly relevant if the user name is known or if current working directories are within the user's folder. Remediation has been implemented in the latest commits, specifically commit d348c43b24a9de350ff6e5bd610545a10c1fc712, which addresses this issue.

Affected Version(s)

Apktool <= 2.9.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-21633
Created by 0x33c0unt

References

https://github.com/iBotPeaches/Apktool/security/advisorie...

x_refsource_CONFIRM

https://github.com/iBotPeaches/Apktool/commit/d348c43b24a...

x_refsource_MISC

EPSS Score

80% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jan 7, 2024
👾
Exploit known to exist
Jan 7, 2024
Vulnerability published
Jan 3, 2024
Vulnerability Reserved
Dec 29, 2023

CVE-2024-21633 Data

JSON