Xtooltech Xtool AnyScan Hardcoded Key Vulnerability Allowing Remote Code Execution

A vulnerability exists in the Xtooltech Xtool AnyScan Android application in versions through 4.40.40, where a hardcoded cryptographic key and initialization vector (IV) are used to decrypt update metadata. This key, embedded as a static value in the application's code, can be extracted through reverse engineering. An attacker who intercepts network traffic can use the key to decrypt, modify, and re-encrypt the update manifest, potentially leading the application to download a malicious update package.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected device, with the executed code running within the context of the AnyScan application. This access can be used to interact with and control a connected vehicle via the OBD-II port, potentially manipulating critical vehicle systems or functions.

Reproduction

The vulnerability can be reproduced by intercepting network traffic from the AnyScan app using a man-in-the-middle attack. Once the traffic is intercepted, the update metadata can be modified to include a link to a malicious update package. After re-encrypting the metadata with the hardcoded key and IV, the modified update is injected back into the application's update stream. When the app downloads and installs the update, the malicious code is executed.

Remediation

Users are advised to uninstall the AnyScan app until the vulnerability is addressed. If the app must be used, it should be reinstalled and updated only when necessary, using a trusted network.