Optimize the document of Quark Script CWE-22, 23, and 78 #56
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Refer to #64 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Detect CWE-22 in Android Application
This scenario seeks to find the improper limitation of a pathname to a restricted directory ('Path Traversal').
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
We analyze the definition of CWE-22 and identify its characteristics.
See CWE-22 for more details.
Code of CWE-22 in ovaa.apk
We use the ovaa.apk sample to explain the vulnerability code of CWE-22.
CWE-22 Detection Process Using Quark Script API
Let's use the above APIs to show how the Quark script finds this vulnerability.
First, we design a detection rule
accessFileInExternalDir.jsonto spot behavior accessing a file in an external directory.Next, we use API
methodInstance.getArguments()to get the argument for the file path and usequarkResultInstance.isHardcoded(argument)to check if the argument is hardcoded into the APK. If No, the argument is from external input.Finally, we use Quark API
quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)to check if there are any APIs in the caller method for string matching. If NO, the APK does not neutralize special elements within the argument, which may cause CWE-22 vulnerability.Quark Script: CWE-22.py
Quark Rule: accessFileInExternalDir.json
{ "crime": "Access a file in an external directory", "permission": [], "api": [ { "class": "Landroid/os/Environment;", "method": "getExternalStorageDirectory", "descriptor": "()Ljava/io/File;" }, { "class": "Ljava/io/File;", "method": "<init>", "descriptor": "(Ljava/io/File;Ljava/lang/String;)V" } ], "score": 1, "label": [] }Quark Script Result
Detect CWE-23 in Android Application
This scenario aims to demonstrate the detection of the Relative Path Traversal vulnerability.
CWE-23: Relative Path Traversal
We analyze the definition of CWE-23 and identify its characteristics.
See CWE-23 for more details.
Code of CWE-23 in ovaa.apk
We use the ovaa.apk sample to explain the vulnerability code of CWE-23.
CWE-23 Detection Process Using Quark Script API
Let’s use the above APIs to show how the Quark script finds this vulnerability.
To begin with, we create a detection rule named
accessFileInExternalDir.jsonto identify behavior that accesses a file in an external directory.Next, we use
methodInstance.getArguments()to retrieve the file path argument and check whether it belongs to the APK. If it does not belong to the APK, the argument is likely from external input.Then, we use the Quark Script API
quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)to search for any APIs in the caller method that are used to match strings. If no API is found, that implies the APK does not neutralize special elements within the argument, possibly resulting in CWE-23 vulnerability.Quark Script: CWE-23.py
Quark Rule: accessFileInExternalDir.json
{ "crime": "Access a file in an external directory", "permission": [], "api": [ { "class": "Landroid/os/Environment;", "method": "getExternalStorageDirectory", "descriptor": "()Ljava/io/File;" }, { "class": "Ljava/io/File;", "method": "<init>", "descriptor": "(Ljava/io/File;Ljava/lang/String;)V" } ], "score": 1, "label": [] }Quark Script Result
Detect CWE-78 in Android Application
This scenario seeks to find Improper Neutralization of Special Elements used in an OS Command in the APK file.
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
We analyze the definition of CWE-78 and identify its characteristics.
See CWE-78 for more details.
Code of CWE-78 in Vuldroid.apk
We use the Vuldroid.apk sample to explain the vulnerability code of CWE-78.
CWE-78 Detection Process Using Quark Script API
Let’s use the above APIs to show how the Quark script finds this vulnerability.
First, we design a detection rule
ExternalStringsCommands.jsonto spot on behavior using external strings as commands.Next, we use Quark API
behaviorInstance.getMethodsInArgs()to get the methods that passed the external command.Then we check if the method neutralizes any special elements in the argument.
If the neutralization is not complete, then it may cause CWE-78 vulnerability.
Quark Script: CWE-78.py
Quark Rule: ExternalStringCommand.json
{ "crime": "Using external strings as commands", "permission": [], "api": [ { "class": "Landroid/content/Intent;", "method": "getStringExtra", "descriptor": "(Ljava/lang/String;)Ljava/lang/String" }, { "class": "Ljava/lang/Runtime;", "method": "exec", "descriptor": "(Ljava/lang/String;)Ljava/lang/Process" } ], "score": 1, "label": [] }Quark Script Result