CVE-2021-21386
📋 TL;DR
CVE-2021-21386 is a command injection vulnerability in APKLeaks that allows remote attackers to execute arbitrary operating system commands via malicious package names in APK manifests. This affects users running APKLeaks versions prior to v2.0.3 to scan potentially untrusted APK files. Attackers could gain full control of the system running APKLeaks.
💻 Affected Systems
- APKLeaks
📦 What is this software?
Apkleaks by Apkleaks Project
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining root/administrator privileges, data exfiltration, installation of persistent backdoors, and lateral movement to other systems.
Likely Case
Remote code execution on the APKLeaks scanning server, allowing data theft, cryptocurrency mining, or use as a botnet node.
If Mitigated
Limited impact if APKLeaks runs in isolated containers with minimal privileges and only processes trusted APK files.
🎯 Exploit Status
Exploitation requires the attacker to provide a malicious APK file with crafted package name. Public proof-of-concept exists in the security advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.0.6-dev and above
Vendor Advisory: https://github.com/dwisiswant0/apkleaks/security/advisories/GHSA-8434-v7xw-8m9x
Restart Required: No
Instructions:
1. Update APKLeaks to v2.0.6-dev or later using: pip install --upgrade apkleaks
2. Verify the update with: apkleaks --version
3. No restart required as it's a command-line tool.
🔧 Temporary Workarounds
Input Sanitization Wrapper
linuxCreate a wrapper script that validates package names before passing to APKLeaks
#!/bin/bash
# Validate package name contains only allowed characters
if [[ "$1" =~ ^[a-zA-Z0-9._]+$ ]]; then
apkleaks "$1"
else
echo "Invalid package name"
exit 1
fi
🧯 If You Can't Patch
- Run APKLeaks in isolated Docker containers with minimal privileges and no network access
- Only scan APK files from trusted sources and implement strict input validation on package names
🔍 How to Verify
Check if Vulnerable:
Check APKLeaks version: apkleaks --version. If version is below v2.0.3, you are vulnerable.Check Version:
apkleaks --versionVerify Fix Applied:
After updating, test with a known malicious APK (if available in safe environment) or verify version is v2.0.6-dev or higher.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution patterns from APKLeaks process
- APKLeaks process spawning unexpected child processes
- Failed APK scans with unusual error messages containing shell metacharacters
Network Indicators:
- APKLeaks process making unexpected outbound connections
- Downloads from unusual sources triggered by APKLeaks
SIEM Query:
process.name:"apkleaks" AND (process.args:*&* OR process.args:*;* OR process.args:*`* OR process.args:*$(*)🔗 References
- https://github.com/dwisiswant0/apkleaks/commit/a966e781499ff6fd4eea66876d7532301b13a382
- https://github.com/dwisiswant0/apkleaks/security/advisories/GHSA-8434-v7xw-8m9x
- https://github.com/dwisiswant0/apkleaks/commit/a966e781499ff6fd4eea66876d7532301b13a382
- https://github.com/dwisiswant0/apkleaks/security/advisories/GHSA-8434-v7xw-8m9x
