> For the complete documentation index, see [llms.txt](https://omar-4.gitbook.io/omar-khalid/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://omar-4.gitbook.io/omar-khalid/pages/mobile-applications-pentesting/lab-config-editor-mobile-rce-full-write-up.md).
# Lab – Config Editor (Mobile RCE) – Full Write‑Up
### **Introduction**
This challenge, **Lab – Config Editor**, focuses on exploiting a real-world vulnerability caused by insecure use of a popular third‑party library inside an Android application. Our goal is to analyze the application, discover how it processes YAML files, and ultimately achieve **Remote Code Execution (RCE)** by abusing a deserialization flaw in the SnakeYAML library.
The lab simulates a realistic scenario where developers rely on a vulnerable library version without implementing proper validation or restrictions. This walkthrough covers everything from manifest review to crafting a malicious YAML payload that leads to OS‑level command execution.
***
## **1. Application Overview**
Upon launching the app, we see a simple interface:
* **Load** button
* **Save** button
* A large **contentArea** for YAML data
To understand how these components work internally, we proceed with static analysis using **jadx-gui**.
***
## **2. AndroidManifest.xml Analysis**
The manifest gives us the first clues about the app’s behavior.
#### **Permissions**
The app declares several powerful permissions:
* `INTERNET` – network communication
* `READ_EXTERNAL_STORAGE` – read files from external storage
* `WRITE_EXTERNAL_STORAGE` – write/modify files on external storage
* `MANAGE_EXTERNAL_STORAGE` – (Android 11+) near‑full filesystem access
* A custom signature‑protected permission:
```
com.mobilehackinglab.configeditor.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION
```
This last permission is only available to apps signed with the same certificate.
#### **MainActivity Exporting**
MainActivity has:
* `android:exported="true"` – accessible from other apps or system components
* Intent filters allowing:
* MAIN + LAUNCHER (normal app launch)
* VIEW from external sources
* BROWSABLE (opening from web links)
* `file://`, `http://`, `https://` schemes
* MIME type `application/yaml`
**Conclusion:**\
The app is intentionally designed to open YAML files from browsers, files apps, and external intents. This widens the attack surface.
***
## **3. MainActivity Analysis (jadx)**
The first thing that stands out is heavy use of:
* `org.yaml.snakeyaml.Yaml`
* `org.yaml.snakeyaml.DumperOptions`
SnakeYAML is responsible for parsing and generating YAML content.
A quick check online reveals a critical issue:
> **CVE‑2022‑1471 – SnakeYAML Unsafe Deserialization → Arbitrary Code Execution**
Older versions of SnakeYAML allow loading arbitrary Java objects specified inside the YAML file—leading to RCE if an attacker provides a malicious payload.
Since the app loads **user‑controlled YAML files**, this is highly dangerous.
***
## **4. Understanding loadYaml()**
Inside `loadYaml()`:
1. The selected file’s URI is opened
2. SnakeYAML **deserializes** the file:
```java
yaml.load(inputStream)
```
3. The parsed object is **re‑serialized** and displayed in the UI
**Key Point:**\
Any object constructed during deserialization is instantiated **before** the UI displays anything. This is where RCE becomes possible.
***
## **5. Understanding saveYaml()**
The `saveYaml()` method:
* Fetches text from the contentArea
* Writes it directly to the file selected by the user
* No validation or filtering of the content
Meaning:\
The app happily reads **and writes** any payload we choose.
***
## **6. Discovery of LegacyCommandUtil**
While exploring the codebase, a special class stands out:
```java
public LegacyCommandUtil(String cmd) {
Runtime.getRuntime().exec(cmd);
}
```
This is a **huge security red flag.**
SnakeYAML can instantiate Java classes automatically.\
If we reference this class in YAML, SnakeYAML will:
1. Create a `LegacyCommandUtil` object
2. Pass the YAML argument to its constructor
3. Execute OS commands via `Runtime.exec()`
This is exactly what CVE‑2022‑1471 allows.
***
## **7. Crafting the Malicious YAML Payload**
To exploit the vulnerability, we create a YAML file (`exploit.yml`) that instantiates the vulnerable class with our chosen command.
Example payload:
```yaml
exploit:
- !!com.mobilehackinglab.configeditor.LegacyCommandUtil ["mkdir /data/data/com.mobilehackinglab.configeditor/exploit"]
- !!com.mobilehackinglab.configeditor.LegacyCommandUtil ["touch /data/data/com.mobilehackinglab.configeditor/exploit/rce.txt"]
```
Explanation:
* `!!ClassName` tells SnakeYAML which Java class to construct
* The string inside the array becomes the constructor argument
* Constructor → `Runtime.exec()` → command executes
***
## **8. Exploitation Steps**
1. Create `exploit.yml`
2. Load it in the Config Editor app
3. The app immediately deserializes the file
4. SnakeYAML builds `LegacyCommandUtil` objects
5. Commands run silently in the background
After loading the malicious YAML:
* `/data/data/com.mobilehackinglab.configeditor/exploit` is created
* `rce.txt` appears inside the folder
RCE achieved.
***
## **9. Impact**
**Severity: Critical**
With this exploit, an attacker can:
* Execute arbitrary commands on the device
* Read/write internal application data
* Abuse storage permissions
* Achieve partial device compromise
This could lead to credential theft, data exfiltration, or persistence.
***
## **10. Mitigation Recommendations**
#### **Developer Fixes**
* Update SnakeYAML to a secure version
* Use `SafeConstructor` or explicit type whitelisting
* Disable arbitrary type instantiation
* Validate YAML before deserialization
* Remove `LegacyCommandUtil` entirely
* Never mix YAML deserialization with OS command execution
#### **Platform/Policy Fixes**
* Avoid `MANAGE_EXTERNAL_STORAGE` unless absolutely required
* Restrict exported activities
* Use file extension and MIME verification
***
## **Conclusion**
The **Config Editor Lab** provides a perfect example of how an overlooked third‑party library vulnerability can escalate into full RCE on an Android app. By combining manifest review, static analysis, and exploitation of insecure YAML deserialization, we demonstrated how a simple file import functionality can become a critical entry point. recommended remediations were provided to prevent exploitation in future builds.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://omar-4.gitbook.io/omar-khalid/pages/mobile-applications-pentesting/lab-config-editor-mobile-rce-full-write-up.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.