-pie and -fpic binary detection seems outdated or broken #1029

colintheshots · 2019-08-01T16:27:04Z

ENVIRONMENT

OS and Version: Ubuntu 18.04 / Android APK
Python Version: 3.6.8
MobSF Version: v1.1 Beta docker image

EXPLANATION OF THE ISSUE

MobSF reports certain *.so files are a risk because they were not compiled with -pie when they were compiled with -fpic. The effect is the same. Running `hardening-check libnss3.so` under Ubuntu shows the file is protected.

STEPS TO REPRODUCE THE ISSUE

1. Load the MobSF Docker image.
2. Use the Firefox Preview 1.1.0 x86 APK from https://github.com/mozilla-mobile/fenix/releases/tag/v1.1.0
3. The report claims the libnss3.so and libplugin-container.so were compiled without -pie, even though they were compile

LOG FILE

[INFO] 30/Jul/2019 16:12:58 - Manifest Analysis Started
[INFO] 30/Jul/2019 16:12:58 - Static Android Binary Analysis Started
[INFO] 30/Jul/2019 16:12:58 - Static Android Resource Analysis Started
[INFO] 30/Jul/2019 16:12:58 - Reading Code Signing Certificate
[INFO] 30/Jul/2019 16:12:58 - Running APKiD 2.0.3
[INFO] 30/Jul/2019 16:13:05 - Updating Tracker Database....
[INFO] 30/Jul/2019 16:13:05 - Detecting Trackers
[INFO] 30/Jul/2019 16:13:08 - DEX -> JAR
[INFO] 30/Jul/2019 16:13:08 - Using JAR converter - dex2jar
[INFO] 30/Jul/2019 16:13:08 - Converting classes6.dex to JAR
[INFO] 30/Jul/2019 16:13:20 - Converting classes5.dex to JAR
[INFO] 30/Jul/2019 16:13:21 - Converting classes.dex to JAR
[INFO] 30/Jul/2019 16:13:22 - Converting classes3.dex to JAR
[INFO] 30/Jul/2019 16:13:32 - Converting classes4.dex to JAR
[INFO] 30/Jul/2019 16:13:32 - Converting classes7.dex to JAR
[INFO] 30/Jul/2019 16:13:34 - Converting classes2.dex to JAR
[INFO] 30/Jul/2019 16:13:36 - DEX -> SMALI
[INFO] 30/Jul/2019 16:13:36 - Converting classes6.dex to Smali Code
[INFO] 30/Jul/2019 16:13:41 - Converting classes5.dex to Smali Code
[INFO] 30/Jul/2019 16:13:42 - Converting classes.dex to Smali Code
[INFO] 30/Jul/2019 16:13:43 - Converting classes3.dex to Smali Code
[INFO] 30/Jul/2019 16:13:47 - Converting classes4.dex to Smali Code
[INFO] 30/Jul/2019 16:13:47 - Converting classes7.dex to Smali Code
[INFO] 30/Jul/2019 16:13:48 - Converting classes2.dex to Smali Code
[INFO] 30/Jul/2019 16:13:50 - JAR -> JAVA
[INFO] 30/Jul/2019 16:13:50 - Decompiling classes5.jar to Java Code
[INFO] 30/Jul/2019 16:13:58 - Decompiling classes3.jar to Java Code
[INFO] 30/Jul/2019 16:14:58 - Decompiling classes1.jar to Java Code
[INFO] 30/Jul/2019 16:15:01 - Decompiling classes6.jar to Java Code
[INFO] 30/Jul/2019 16:15:09 - Decompiling classes0.jar to Java Code
[INFO] 30/Jul/2019 16:16:22 - Decompiling classes4.jar to Java Code
[INFO] 30/Jul/2019 16:16:22 - Decompiling classes2.jar to Java Code
[INFO] 30/Jul/2019 16:16:26 - Static Android Code Analysis Started
[INFO] 30/Jul/2019 16:16:26 - Code Analysis Started on - java_source
[INFO] 30/Jul/2019 16:17:05 - Finished Code Analysis, Email and URL Extraction
[INFO] 30/Jul/2019 16:17:05 - Extracting Strings from APK
[INFO] 30/Jul/2019 16:17:06 - Detecting Firebase URL(s)
[INFO] 30/Jul/2019 16:17:06 - Performing Malware Check on extracted Domains
[INFO] 30/Jul/2019 16:17:07 - Malware Database is up-to-date.
[INFO] 30/Jul/2019 16:17:07 - Generating Java and Smali Downloads
[INFO] 30/Jul/2019 16:17:07 - Generating Downloads
[INFO] 30/Jul/2019 16:17:07 - Zipping
[INFO] 30/Jul/2019 16:17:08 - Zipping
[INFO] 30/Jul/2019 16:17:10 - Connecting to Database
[INFO] 30/Jul/2019 16:17:10 - Saving to Database
[INFO] 30/Jul/2019 16:30:49 - Fetching data from DB for PDF Report Generation (Android)
[INFO] 30/Jul/2019 16:30:49 - Analysis is already Done. Fetching data from the DB...
[INFO] 30/Jul/2019 16:32:00 - MIME Type: application/vnd.android.package-archive FILE: firefox_preview-1.1.0.arm.apk
[INFO] 30/Jul/2019 16:32:00 - Performing Static Analysis of Android APK
[INFO] 30/Jul/2019 16:32:00 - Starting Analysis on : firefox_preview-1.1.0.arm.apk
[INFO] 30/Jul/2019 16:32:00 - Generating Hashes
[INFO] 30/Jul/2019 16:32:00 - Unzipping
[INFO] 30/Jul/2019 16:32:01 - Getting Hardcoded Certificates/Keystores
[INFO] 30/Jul/2019 16:32:01 - APK Extracted
[INFO] 30/Jul/2019 16:32:01 - Converting AXML to XML
[INFO] 30/Jul/2019 16:32:04 - Reading Android Manifest
[INFO] 30/Jul/2019 16:32:04 - Parsing AndroidManifest.xml
[INFO] 30/Jul/2019 16:32:05 - Fetching icon path
[INFO] 30/Jul/2019 16:32:06 - Extracting Manifest Data
[INFO] 30/Jul/2019 16:32:06 - Fetching Details from Play Store: org.mozilla.fenix
[INFO] 30/Jul/2019 16:32:07 - Manifest Analysis Started
[INFO] 30/Jul/2019 16:32:07 - Static Android Binary Analysis Started
[INFO] 30/Jul/2019 16:32:07 - Static Android Resource Analysis Started
[INFO] 30/Jul/2019 16:32:07 - Reading Code Signing Certificate
[INFO] 30/Jul/2019 16:32:07 - Running APKiD 2.0.3
[INFO] 30/Jul/2019 16:32:11 - Tracker Database is up-to-date.
[INFO] 30/Jul/2019 16:32:11 - Detecting Trackers
[INFO] 30/Jul/2019 16:32:12 - DEX -> JAR
[INFO] 30/Jul/2019 16:32:12 - Using JAR converter - dex2jar
[INFO] 30/Jul/2019 16:32:12 - Converting classes.dex to JAR
[INFO] 30/Jul/2019 16:32:23 - DEX -> SMALI
[INFO] 30/Jul/2019 16:32:23 - Converting classes.dex to Smali Code
[INFO] 30/Jul/2019 16:32:27 - JAR -> JAVA
[INFO] 30/Jul/2019 16:32:27 - Decompiling classes0.jar to Java Code
[INFO] 30/Jul/2019 16:33:40 - Static Android Code Analysis Started
[INFO] 30/Jul/2019 16:33:40 - Code Analysis Started on - java_source
[INFO] 30/Jul/2019 16:33:55 - Finished Code Analysis, Email and URL Extraction
[INFO] 30/Jul/2019 16:33:55 - Extracting Strings from APK
[INFO] 30/Jul/2019 16:33:56 - Detecting Firebase URL(s)
[INFO] 30/Jul/2019 16:33:56 - Performing Malware Check on extracted Domains
[INFO] 30/Jul/2019 16:33:57 - Malware Database is up-to-date.
[INFO] 30/Jul/2019 16:33:57 - Generating Java and Smali Downloads
[INFO] 30/Jul/2019 16:33:57 - Generating Downloads
[INFO] 30/Jul/2019 16:33:57 - Zipping
[INFO] 30/Jul/2019 16:33:57 - Zipping
[INFO] 30/Jul/2019 16:33:58 - Connecting to Database
[INFO] 30/Jul/2019 16:33:58 - Saving to Database
[INFO] 30/Jul/2019 16:34:05 - MIME Type: application/vnd.android.package-archive FILE: firefox_preview-1.1.0.x86.apk
[INFO] 30/Jul/2019 16:34:05 - Performing Static Analysis of Android APK
[INFO] 30/Jul/2019 16:34:05 - Starting Analysis on : firefox_preview-1.1.0.x86.apk
[INFO] 30/Jul/2019 16:34:05 - Generating Hashes
[INFO] 30/Jul/2019 16:34:05 - Unzipping
[INFO] 30/Jul/2019 16:34:06 - Getting Hardcoded Certificates/Keystores
[INFO] 30/Jul/2019 16:34:06 - APK Extracted
[INFO] 30/Jul/2019 16:34:06 - Converting AXML to XML
[INFO] 30/Jul/2019 16:34:10 - Reading Android Manifest
[INFO] 30/Jul/2019 16:34:10 - Parsing AndroidManifest.xml
[INFO] 30/Jul/2019 16:34:11 - Fetching icon path
[INFO] 30/Jul/2019 16:34:12 - Extracting Manifest Data
[INFO] 30/Jul/2019 16:34:12 - Fetching Details from Play Store: org.mozilla.fenix
[INFO] 30/Jul/2019 16:34:12 - Manifest Analysis Started
[INFO] 30/Jul/2019 16:34:12 - Static Android Binary Analysis Started
[INFO] 30/Jul/2019 16:34:12 - Static Android Resource Analysis Started
[INFO] 30/Jul/2019 16:34:12 - Reading Code Signing Certificate
[INFO] 30/Jul/2019 16:34:13 - Running APKiD 2.0.3
[INFO] 30/Jul/2019 16:34:18 - Tracker Database is up-to-date.
[INFO] 30/Jul/2019 16:34:18 - Detecting Trackers
[INFO] 30/Jul/2019 16:34:19 - DEX -> JAR
[INFO] 30/Jul/2019 16:34:19 - Using JAR converter - dex2jar
[INFO] 30/Jul/2019 16:34:19 - Converting classes.dex to JAR
[INFO] 30/Jul/2019 16:34:30 - DEX -> SMALI
[INFO] 30/Jul/2019 16:34:30 - Converting classes.dex to Smali Code
[INFO] 30/Jul/2019 16:34:34 - JAR -> JAVA
[INFO] 30/Jul/2019 16:34:34 - Decompiling classes0.jar to Java Code
[INFO] 30/Jul/2019 16:35:48 - Static Android Code Analysis Started
[INFO] 30/Jul/2019 16:35:48 - Code Analysis Started on - java_source
[INFO] 30/Jul/2019 16:36:02 - Finished Code Analysis, Email and URL Extraction
[INFO] 30/Jul/2019 16:36:02 - Extracting Strings from APK
[INFO] 30/Jul/2019 16:36:03 - Detecting Firebase URL(s)
[INFO] 30/Jul/2019 16:36:05 - Performing Malware Check on extracted Domains
[INFO] 30/Jul/2019 16:36:05 - Malware Database is up-to-date.
[INFO] 30/Jul/2019 16:36:05 - Generating Java and Smali Downloads
[INFO] 30/Jul/2019 16:36:05 - Generating Downloads
[INFO] 30/Jul/2019 16:36:05 - Zipping
[INFO] 30/Jul/2019 16:36:06 - Zipping
[INFO] 30/Jul/2019 16:36:06 - Connecting to Database
[INFO] 30/Jul/2019 16:36:06 - Saving to Database
[INFO] 30/Jul/2019 16:38:14 - Fetching data from DB for PDF Report Generation (Android)
[INFO] 30/Jul/2019 16:38:14 - Analysis is already Done. Fetching data from the DB...

The text was updated successfully, but these errors were encountered:

ajinabraham · 2019-08-08T19:58:14Z

tracked separately

superpoussin22 added the PR welcome Pull requests from yourself or the community are welcome label Aug 1, 2019

ajinabraham added the enhancement MobSF enhancements and feature requests label Aug 8, 2019

ajinabraham closed this as completed Aug 8, 2019

ajinabraham mentioned this issue Aug 8, 2019

All Enhancements are tracked here (Not top priority) #264

Open

94 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

-pie and -fpic binary detection seems outdated or broken #1029

-pie and -fpic binary detection seems outdated or broken #1029

colintheshots commented Aug 1, 2019

ajinabraham commented Aug 8, 2019

-pie and -fpic binary detection seems outdated or broken #1029

-pie and -fpic binary detection seems outdated or broken #1029

Comments

colintheshots commented Aug 1, 2019

ENVIRONMENT

EXPLANATION OF THE ISSUE

STEPS TO REPRODUCE THE ISSUE

LOG FILE

ajinabraham commented Aug 8, 2019