Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-14326 PoC — ANDYOS Andy 安全漏洞

Source
https://github.com/seqred-s-a/cve-2019-14326
Associated Vulnerability
Title:ANDYOS Andy 安全漏洞 (CVE-2019-14326)
Description:An issue was discovered in AndyOS Andy versions up to 46.11.113. By default, it starts telnet and ssh (ports 22 and 23) with root privileges in the emulated Android system. This can be exploited by remote attackers to gain full access to the device, or by malicious apps installed inside the emulator to perform privilege escalation from a normal user to root (unlike with standard methods of getting root privileges on Android - e.g., the SuperSu program - the user is not asked for consent). There is no authentication performed - access to a root shell is given upon a successful connection. NOTE: although this was originally published with a slightly different CVE ID number, the correct ID for this Andy vulnerability has always been CVE-2019-14326.
Description
Privilege escalation in Andy emulator
Readme
**CVEID**: CVE-2019-14326

**Name of the affected product(s) and version(s)**: Andy (all versions up to 46.11.113)

**Problem type**: CWE-284: Improper Access Control

---

**Summary**

Andy is an Android emulator for Windows and Mac.

During our tests, we have found open local TCP ports which could be exploited to escalate privileges from user to root.
All versions of Andy (up to and including 46.11.113, and possibly newer versions as well) allow telnet and ssh access
to root account without password protection.
 
**Description**
 
Andy emulator opens ports 22 and 23 inside the emulated Android systems. These are ssh and telnet ports, giving access
to the root shell with no password protection. While the issue is not exploitable remotely because the emulated Android
device is only visible inside a VMWare network accessible only to the host operating system and the emulated Android
system itself, it can be used by malicious apps installed inside the emulated systems to escalate privileges to root
without user interaction.
 
**Reproduction**
 
```echo "[command_to_execute]" | busybox telnet localhost 23```
 
**Mitigation**

Kill telnet and ssh daemons.
File Snapshot

 [4.0K]  /data/pocs/9df2b6a95a89291d326635b7a3ed691483e25c5d
├── [ 128]  exploit.sh
└── [1.1K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →