07-27-2024, 05:44 PM
BlueStacks is an Android emulator which runs the guest Android system within a virtual machine.
Because BlueStacks stores virtual machine configuration files in a world-writeable directory and shares them across different OS users, it is possible for an unprivileged user to backdoor an image that would then gain code execution capabilities of a privileged user.
Reproduction
- Set up attacker and victim accounts, preferably making attacker unprivileged and victim the administrator
- Victim: install the vulnerbale version of BlueStacks
- Attacker: modify Nougat32.bstk to give Android access to C drive
- Attacker: run the Android system and install a malicious application on it
- Victim: run BlueStacks, causing the malicious application to drop payload in your startup directory
- Victim: reboot the machine and log into your account again
- Startup payload should be executed with your privileges
