Xtooltech Xtool AnyScan Android Application Insecure Update Mechanism Leading to Remote Code Execution

A remote code execution vulnerability exists in the Xtooltech Xtool AnyScan Android Application, affecting all versions through 4.40.40. The issue arises from an insecure update mechanism that allows the application to download and extract update packages containing executable code without verifying their integrity or authenticity. This flaw enables an attacker who can manipulate the update metadata to deliver a malicious package that the application will accept, extract, and execute, resulting in arbitrary code execution.

Impact

Exploitation of this vulnerability allows for arbitrary remote code execution on the affected device. The executed code can access all application and device data. Additionally, since the Xtool AnyScan app can communicate with vehicles via an OBD-II diagnostic device, there is a risk of sending malicious commands to the vehicle, potentially interfering with critical systems or functions.

Reproduction

The vulnerability can be reproduced by intercepting the update process of the Xtool AnyScan app. This is done by exploiting the app's insecure TrustManager implementation, which bypasses standard TLS certificate validation. Once the update request is intercepted, the app can be tricked into downloading a malicious plugin disguised as a legitimate update. After the malicious plugin is downloaded and extracted, it can be executed within the app, leading to the execution of arbitrary code. If the app is connected to a vehicle via an Xtool OBD-II device, the executed code can send commands to the vehicle, potentially compromising its safety or security.

Remediation

Users are advised to uninstall the Xtool AnyScan app until the vulnerability is addressed. If the app must be used, it is recommended to reinstall it and only download updates when necessary, using a trusted network.