Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

To support debugging applications written in Unity, the Android library adds a handler for the intent containing unity data onto a UnityPlayerAcivity. Android does manage feature flags it does not prevent the execution of intents.

The unity field contained a lot of extra flags. While reverse engineering the library they found that xrsdk-pre-init-library could be used as an argument to dlopen to load arbitrary libraries. This gives the threat of an RCE in the application!

A malicious Android application can trigger the intent with their own created library. By doing this, the application would have the same permissions as the Unity application.

Exploitation from the browser is somewhat nebulous though. Because dlopen needs a local file path, we need to trick the user to downloading a file. By good design on Android, SELinux prevents the usage of dlopen for files in the downloads directory. Nice protection!

This isn't full-proof though. dlopen doesn't require a file to have the .so extension. Since /data is allowed, if an application writes arbitrary data to storage on the device then this can be used as a malicious library. Good find!