Optimize the CWE-88 document

[JerryTasi]

Detect CWE-88 in Android Application

This scenario seeks to find Argument Injection in the APK file.

CWE-88 Improper Neutralization of Argument Delimiters in a Command

We analyze the definition of CWE-88 and identify its characteristics.

See CWE-88 for more details.

Code of CWE-88 in vuldroid.apk

We use the vuldroid.apk sample to explain the vulnerability code of CWE-88.

Quark Script: CWE-88.py

Let‘s use the above APIs to show how the Quark script finds this vulnerability.

First, we design a detection rule ExternalStringsCommands.json to spot on behavior using external strings as commands.

Next, we use Quark API behaviorInstance.getMethodsInArgs() to get the methods that passed the external command.

Then we check if the method neutralizes any special elements in the argument.

If the neutralization is not complete, then it may cause CWE-88 vulnerability.

from quark.script import runQuarkAnalysis, Rule, findMethodInAPK

    SAMPLE_PATH = "Vuldroid.apk"
    RULE_PATH = "ExternalStringCommand.json"


    STRING_MATCHING_API = set([
        ("Ljava/lang/String;", "contains", "(Ljava/lang/CharSequence)Z"),
        ("Ljava/lang/String;", "indexOf", "(I)I"),
        ("Ljava/lang/String;", "indexOf", "(Ljava/lang/String;)I"),
        ("Ljava/lang/String;", "matches", "(Ljava/lang/String;)Z"),
        ("Ljava/lang/String;", "replaceAll", "(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;")
    ])

    delimeter = "-"

    ruleInstance = Rule(RULE_PATH)
    quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)

    for ExternalStringCommand in quarkResult.behaviorOccurList:

        methodCalled = set()
        caller = ExternalStringCommand.methodCaller

        for method in ExternalStringCommand.getMethodsInArgs():
            methodCalled.add(method.fullName)

        if methodCalled.intersection(STRING_MATCHING_API) and not ExternalStringCommand.hasString(delimeter):
            continue
        else:
            print(f"CWE-88 is detected in method, {caller.fullName}")

Quark Rule: ExternalStringCommand.json

{
    "crime": "Using external strings as commands",
    "permission": [],
    "api": [
        {
            "class": "Landroid/content/Intent;",
            "method": "getStringExtra",
            "descriptor": "(Ljava/lang/String;)Ljava/lang/String"
        },
        {
            "class": "Ljava/lang/Runtime;",
            "method": "exec",
            "descriptor": "(Ljava/lang/String;)Ljava/lang/Process"
        }
    ],
    "score": 1,
    "label": []
}

Quark Script Result

$ python3 CWE-88.py
CWE-88 is detected in method, Lcom/vuldroid/application/RootDetection; onCreate (Landroid/os/Bundle;)V

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 79.44%. Comparing base (2343b9c) to head (f1d53ea).
Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #677   +/-   ##
=======================================
  Coverage   79.44%   79.44%           
=======================================
  Files          70       70           
  Lines        5555     5555           
=======================================
  Hits         4413     4413           
  Misses       1142     1142           

Flag	Coverage Δ
unittests	79.44% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[haeter525]

LGTM. Thank @JerryTasi !