From 5f07e18938f8a15fb46be5ac3d81ec9fd1be9fa2 Mon Sep 17 00:00:00 2001 From: ZhiH <127014343+JerryTasi@users.noreply.github.com> Date: Fri, 13 Dec 2024 18:15:27 +0800 Subject: [PATCH 1/9] Optimize the document of Quark Script CWE-312 --- CWE-312/README.md | 41 ++++++++++++++++++++--------------------- 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/CWE-312/README.md b/CWE-312/README.md index 534b7fa..36e00e2 100644 --- a/CWE-312/README.md +++ b/CWE-312/README.md @@ -1,37 +1,36 @@ # Detect CWE-312 in Android Application +This scenario seeks to find **cleartext storage of sensitive data** in the APK file. -This scenario seeks to find **cleartext storage of sensitive data** in -the APK file. - -## CWE-312 Cleartext Storage of Sensitive Information +## CWE-312: Cleartext Storage of Sensitive Information We analyze the definition of CWE-312 and identify its characteristics. -See [CWE-312](https://cwe.mitre.org/data/definitions/312.html) for more -details. +See [CWE-312](https://cwe.mitre.org/data/definitions/312.html) for more details. -![image](https://i.imgur.com/cy2EiZx.jpg) +![image](https://imgur.com/mD2uXUy.jpg) ## Code of CWE-312 in ovaa.apk -We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to -explain the vulnerability code of CWE-312. +We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to explain the vulnerability code of CWE-312. + +![image](https://imgur.com/MfnYIYy.jpg) + +## CWE-312 Detection Process Using Quark Script API + +Let’s use the above APIs to show how the Quark script finds this vulnerability. -![image](https://i.imgur.com/KsFsxTu.jpg) +We have designed a [Frida](https://frida.re/) script ``agent.js`` to hook a specified method and get the arguments when the method is called. It can be found in [quark-engine/quark/script/frida](https://github.com/quark-engine/quark-engine/tree/master/quark/script/frida). + +To begin with, we hook the method ``putString`` to catch its arguments. Then, we check if sensitive information like email or password is passed. Finally, we use ``checkClearText`` imported from [Ares](https://github.com/bee-san/Ares) to check if the arguments are cleartext. If both **YES**, CWE-312 vulnerability might be caused. -## Quark Script CWE-312.py +![image](https://imgur.com/eNjm3ES.jpg) -Let\'s use the above APIs to show how the Quark script finds this -vulnerability. +## Quark Script: CWE-312.py -First, we designed a [Frida](https://frida.re) script `agent.js` to hook -the target method and get the arguments when the target method is -called. Then we hook the method `putString` to catch its arguments. -Finally, we use [Ares](https://github.com/bee-san/Ares) to check if -the arguments are encrypted. +![image](https://imgur.com/rxMPZX8.jpg) -``` python +```python from quark.script.frida import runFridaHook from quark.script.ares import checkClearText @@ -62,7 +61,7 @@ for putString in fridaResult.behaviorOccurList: ## Frida Script: agent.js -``` javascript +```javascript // -*- coding: utf-8 -*- // This file is part of Quark-Engine - https://github.com/quark-engine/quark-engine // See the file 'LICENSE' for copying permission. @@ -125,7 +124,7 @@ rpc.exports["watchMethodCall"] = (classAndMethodName, methodParamTypes) => watch ## Quark Script Result -``` TEXT +```TEXT $ python3 CWE-312.py The CWE-312 vulnerability is found. The cleartext is "test@email.com" The CWE-312 vulnerability is found. The cleartext is "password" From 79adfa8ac1b3ff46084783e0ca7183b651023580 Mon Sep 17 00:00:00 2001 From: ZhiH <127014343+JerryTasi@users.noreply.github.com> Date: Fri, 13 Dec 2024 18:19:09 +0800 Subject: [PATCH 2/9] Optimize the document of Quark Script CWE-798 --- CWE-798/README.md | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/CWE-798/README.md b/CWE-798/README.md index f16abee..d227fca 100644 --- a/CWE-798/README.md +++ b/CWE-798/README.md @@ -1,36 +1,35 @@ # Detect CWE-798 in Android Application -This scenario seeks to find hard-coded credentials in the APK file. +This scenario seeks to find **hard-coded credentials** in the APK file. -## CWE-798 Use of Hard-coded Credentials +## CWE-798: Use of Hard-coded Credentials We analyze the definition of CWE-798 and identify its characteristics. -See [CWE-798](https://cwe.mitre.org/data/definitions/798.html) for more -details. +See [CWE-798](https://cwe.mitre.org/data/definitions/798.html) for more details. -![image](https://i.imgur.com/0G9APpf.jpg) +![image](https://imgur.com/rF8J8hE.png) ## Code of CWE-798 in ovaa.apk -We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to -explain the vulnerability code of CWE-798. +We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to explain the vulnerability code of CWE-798. -![image](https://i.imgur.com/ikaJlDW.jpg) +![image](https://imgur.com/Cg7DacP.png) -## Quark Script: CWE-798.py -Let\'s use the above APIs to show how the Quark script finds this -vulnerability. +## CWE-798 Detection Process Using Quark Script API + +![image](https://imgur.com/R8CfDqD.png) + +Let’s use the above APIs to show how the Quark script finds this vulnerability. + +First, we design a detection rule ``findSecretKeySpec.json`` to spot on behavior using the constructor ``SecretKeySpec``. Second, we get all the parameter values from this constructor. Then, we parse the AES key from the parameter values. Finally, we check if the AES key is hardcoded in the APK file. If the answer is **YES**, BINGO!!! We find hard-coded credentials in the APK file. -First, we design a detection rule `findSecretKeySpec.json` to spot on -behavior using the method `SecretKeySpec`. Then, we get all the -parameter values that are input to this method. And we parse the AES key -out of the parameter values. Finally, we check if the AES key is -hardcoded in the APK file. If the answer is YES, BINGO!!! We find -hard-coded credentials in the APK file. +## Quark Script: CWE-798.py + +![image](https://imgur.com/IOyrqDc.png) -``` python +```python import re from quark.script import runQuarkAnalysis, Rule @@ -54,7 +53,9 @@ for secretKeySpec in quarkResult.behaviorOccurList: ## Quark Rule: findSecretKeySpec.json -``` json +![image](https://imgur.com/2BYOE70.png) + +```json { "crime": "Detect APK using SecretKeySpec.", "permission": [], @@ -77,8 +78,7 @@ for secretKeySpec in quarkResult.behaviorOccurList: ## Quark Script Result -``` TEXT -$ python3 findSecretKeySpec.py - +```TEXT +$ python3 CWE-798.py Found hard-coded AES key 49u5gh249gh24985ghf429gh4ch8f23f ``` From f0db9606f860ca9b6581fc7d73af8a27c830d5fa Mon Sep 17 00:00:00 2001 From: ZhiH <127014343+JerryTasi@users.noreply.github.com> Date: Tue, 17 Dec 2024 14:55:09 +0800 Subject: [PATCH 3/9] Optimize the document of Quark Script CWE-312 --- CWE-312/agent.js | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 CWE-312/agent.js diff --git a/CWE-312/agent.js b/CWE-312/agent.js deleted file mode 100644 index e69de29..0000000 From 2b63ce869fd8e42ca339d8c3a8d77efa605052f1 Mon Sep 17 00:00:00 2001 From: ZhiH <127014343+JerryTasi@users.noreply.github.com> Date: Tue, 17 Dec 2024 15:17:16 +0800 Subject: [PATCH 4/9] Remove line 60 mv -vn $GITHUB_WORKSPACE/CWE-*/*.js test_ground/ --- .github/workflows/testQuarkScript.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/testQuarkScript.yml b/.github/workflows/testQuarkScript.yml index c97a567..9205879 100644 --- a/.github/workflows/testQuarkScript.yml +++ b/.github/workflows/testQuarkScript.yml @@ -57,7 +57,6 @@ jobs: git clone "https://github.com/quark-engine/apk-samples.git" mv -vn $GITHUB_WORKSPACE/CWE-*/CWE-*.py test_ground/ mv -vn $GITHUB_WORKSPACE/CWE-*/*.json test_ground/ - mv -vn $GITHUB_WORKSPACE/CWE-*/*.js test_ground/ mv -vn ./apk-samples/vulnerable-samples/*.apk test_ground/ From 3f210215cd821f42e837c7907f6ff092b54c8f65 Mon Sep 17 00:00:00 2001 From: ZhiH Date: Tue, 17 Dec 2024 15:45:44 +0800 Subject: [PATCH 5/9] Revert "Optimize the document of Quark Script CWE-312" This reverts commit f0db9606f860ca9b6581fc7d73af8a27c830d5fa. --- CWE-312/agent.js | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 CWE-312/agent.js diff --git a/CWE-312/agent.js b/CWE-312/agent.js new file mode 100644 index 0000000..e69de29 From f569fd303703cdb22b99e1c2440eddb26e73cf63 Mon Sep 17 00:00:00 2001 From: ZhiH <127014343+JerryTasi@users.noreply.github.com> Date: Tue, 17 Dec 2024 16:09:40 +0800 Subject: [PATCH 6/9] Update testQuarkScript.yml runs-on: ubuntu-22.04 --- .github/workflows/testQuarkScript.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/testQuarkScript.yml b/.github/workflows/testQuarkScript.yml index 9205879..16be679 100644 --- a/.github/workflows/testQuarkScript.yml +++ b/.github/workflows/testQuarkScript.yml @@ -9,7 +9,7 @@ on: jobs: build: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: From cbbd644e59fd90c2fe6d945f8de30020552fad17 Mon Sep 17 00:00:00 2001 From: ZhiH <127014343+JerryTasi@users.noreply.github.com> Date: Tue, 17 Dec 2024 16:23:31 +0800 Subject: [PATCH 7/9] Optimize the document of Quark Script CWE-312 Delete CWE-312/agent.js --- CWE-312/agent.js | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 CWE-312/agent.js diff --git a/CWE-312/agent.js b/CWE-312/agent.js deleted file mode 100644 index e69de29..0000000 From 58092c4b43d5ff732526186234406180074701e6 Mon Sep 17 00:00:00 2001 From: ZhiH <127014343+JerryTasi@users.noreply.github.com> Date: Tue, 17 Dec 2024 16:26:48 +0800 Subject: [PATCH 8/9] Update testQuarkScript.yml mv -vn $GITHUB_WORKSPACE/CWE-*/*.js test_ground/ --- .github/workflows/testQuarkScript.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/testQuarkScript.yml b/.github/workflows/testQuarkScript.yml index 16be679..605aaab 100644 --- a/.github/workflows/testQuarkScript.yml +++ b/.github/workflows/testQuarkScript.yml @@ -57,6 +57,7 @@ jobs: git clone "https://github.com/quark-engine/apk-samples.git" mv -vn $GITHUB_WORKSPACE/CWE-*/CWE-*.py test_ground/ mv -vn $GITHUB_WORKSPACE/CWE-*/*.json test_ground/ + mv -vn $GITHUB_WORKSPACE/CWE-*/*.js test_ground/ mv -vn ./apk-samples/vulnerable-samples/*.apk test_ground/ From 326050cda8258747d7bdfa35dd0fed94bcb3dc55 Mon Sep 17 00:00:00 2001 From: ZhiH <127014343+JerryTasi@users.noreply.github.com> Date: Tue, 21 Jan 2025 13:23:20 +0800 Subject: [PATCH 9/9] Update testQuarkScript.yml --- .github/workflows/testQuarkScript.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/testQuarkScript.yml b/.github/workflows/testQuarkScript.yml index 605aaab..fa28546 100644 --- a/.github/workflows/testQuarkScript.yml +++ b/.github/workflows/testQuarkScript.yml @@ -57,7 +57,7 @@ jobs: git clone "https://github.com/quark-engine/apk-samples.git" mv -vn $GITHUB_WORKSPACE/CWE-*/CWE-*.py test_ground/ mv -vn $GITHUB_WORKSPACE/CWE-*/*.json test_ground/ - mv -vn $GITHUB_WORKSPACE/CWE-*/*.js test_ground/ + # mv -vn $GITHUB_WORKSPACE/CWE-*/*.js test_ground/ mv -vn ./apk-samples/vulnerable-samples/*.apk test_ground/ @@ -74,4 +74,3 @@ jobs: echo $line fi done -