07-27-2024, 05:44 PM
BlueStacks is an Android emulator which runs the guest Android system within a virtual machine.
Because BlueStacks stores virtual machine configuration files in a world-writeable directory and shares them across different OS users, it is possible for an unprivileged user to backdoor an image that would then gain code execution capabilities of a privileged user.
Reproduction
- Set up attacker and victim accounts, preferably making attacker unprivileged and victim the administrator
- Victim: install the vulnerbale version of BlueStacks
- Attacker: modify Nougat32.bstk to give Android access to C drive
- Attacker: run the Android system and install a malicious application on it
- Victim: run BlueStacks, causing the malicious application to drop payload in your startup directory
- Victim: reboot the machine and log into your account again
- Startup payload should be executed with your privileges
![[Image: e47c91a87cc521d1efbd20183b42ee4259c9c593.gifv]](https://external-content.duckduckgo.com/iu/?u=https://64.media.tumblr.com/c28f803dbfef10a302ff051a43746f2f/3c5cd0a36f0a9b03-5f/s540x810/e47c91a87cc521d1efbd20183b42ee4259c9c593.gifv)
