Add quark script for CWE-78

[LiangPPP]

CWE-78
Detect CWE-78 in Android Application (Vuldroid.apk )

This scenario seeks to find Improper Neutralization of Special Elements used in an OS Command. See CWE-78 for more details.

Let’s use this APK and the above APIs to show how the Quark script finds this vulnerability.

First, we design a detection rule ExternalStringsCommands.json to spot on behavior using external strings as commands.

Next, we use Quark API behaviorInstance.getMethodsInArgs() to get the methods that passed the external command.

Then we check if the method neutralizes any special elements found in the argument.

If the neutralization is not complete, then it may cause CWE-78 vulnerability.

Quark Script CWE-78.py

The Quark Script below uses Vuldroid.apk to demonstrate.

from quark.script import runQuarkAnalysis, Rule, findMethodInAPK

SAMPLE_PATH = "Vuldroid.apk"
RULE_PATH = "ExternalStringCommand.json"


STRING_MATCHING_API = set([
    ("Ljava/lang/String;", "contains", "(Ljava/lang/CharSequence)Z"),
    ("Ljava/lang/String;", "indexOf", "(I)I"),
    ("Ljava/lang/String;", "indexOf", "(Ljava/lang/String;)I"),
    ("Ljava/lang/String;", "matches", "(Ljava/lang/String;)Z"),
    ("Ljava/lang/String;", "replaceAll", "(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;")
])

specialElementsPattern = r"[ ;|,>`]+"

ruleInstance = Rule(RULE_PATH)
quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)

for ExternalStringCommand in quarkResult.behaviorOccurList:

    methodCalled = set()
    caller = ExternalStringCommand.methodCaller

    for method in ExternalStringCommand.getMethodsInArgs():
        methodCalled.add(method.fullName)

    if methodCalled.intersection(STRING_MATCHING_API) and not ExternalStringCommand.hasString(specialElementsPattern):
        continue
    else:
        print(f"CWE-78 is detected in method, {caller.fullName}")

Quark Rule: ExternalStringCommand.json

{
    "crime": "Using external strings as commands",
    "permission": [],
    "api": [
        {
            "class": "Landroid/content/Intent;",
            "method": "getStringExtra",
            "descriptor": "(Ljava/lang/String;)Ljava/lang/String"
        },
        {
            "class": "Ljava/lang/Runtime;",
            "method": "exec",
            "descriptor": "(Ljava/lang/String;)Ljava/lang/Process"
        }
    ],
    "score": 1,
    "label": []
}

Quark Script Result

• Vuldroid.apk

$ python3 CWE-78.py
CWE-78 is detected in method, Lcom/vuldroid/application/RootDetection; onCreate (Landroid/os/Bundle;)V

[codecov-commenter]

Codecov Report

Patch and project coverage have no change.

Comparison is base (b3a249b) 79.19% compared to head (78eae58) 79.19%.

❗ Your organization is not using the GitHub App Integration. As a result you may experience degraded service beginning May 15th. Please install the Github App Integration for your organization. Read more.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #519   +/-   ##
=======================================
  Coverage   79.19%   79.19%           
=======================================
  Files          63       63           
  Lines        4960     4960           
=======================================
  Hits         3928     3928           
  Misses       1032     1032           

Flag	Coverage Δ
unittests	79.19% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

[sidra-asa]

@LiangPPP

Thank you for this PR.
In my humble opinion, the description of Quark Script function is not clear.
Could it be better with the following?

Next, we use Quark API behaviorInstance.getMethodsInArgs() to get the methods which passed the external command. 
Then we check if the method neutralize the argument with string matching filter. 
If the neutralization is not complete, then it may cause CWE-78 vulnerability.

Also, could it be better to rewrite the code as the following?

for ExternalStringCommand in quarkResult.behaviorOccurList:

    methodCalled = set()
    caller = ExternalStringCommand.methodCaller

    for method in ExternalStringCommand.getMethodsInArgs():
        methodCalled.add(method.fullName)

    if methodCalled.intersection(STRING_MATCHING_API) AND ExternalStringCommand.hasString(specialElementsPattern):
        continue
    else:
        print(f"CWE-78 is detected in method, {caller.fullName}")

[sidra-asa]

LGTM