diff --git a/CWE-22/CWE-22.py b/CWE-22/CWE-22.py index 6041c84..b1a271b 100644 --- a/CWE-22/CWE-22.py +++ b/CWE-22/CWE-22.py @@ -16,6 +16,7 @@ quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance) for accessExternalDir in quarkResult.behaviorOccurList: + filePath = accessExternalDir.secondAPI.getArguments()[2] if quarkResult.isHardcoded(filePath): @@ -23,10 +24,9 @@ caller = accessExternalDir.methodCaller strMatchingAPIs = [ - api - for api in STRING_MATCHING_API - if quarkResult.findMethodInCaller(caller, api) + api for api in STRING_MATCHING_API if quarkResult.findMethodInCaller( + caller, api) ] if not strMatchingAPIs: - print(f"CWE-22 is detected in method, {caller.fullName}") \ No newline at end of file + print(f"CWE-22 is detected in method, {caller.fullName}") diff --git a/CWE-22/README.md b/CWE-22/README.md index 2ad37b5..c25ca38 100644 --- a/CWE-22/README.md +++ b/CWE-22/README.md @@ -1,44 +1,38 @@ # Detect CWE-22 in Android Application -This scenario seeks to find **the improper limitation of a pathname to a -restricted directory ('Path Traversal')**. +This scenario seeks to find **the improper limitation of a pathname to a restricted directory ('Path Traversal')**. -## CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\'Path Traversal\') +## CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') We analyze the definition of CWE-22 and identify its characteristics. -See [CWE-22](https://cwe.mitre.org/data/definitions/22.html) for more -details. +See [CWE-22](https://cwe.mitre.org/data/definitions/22.html) for more details. -![image](https://imgur.com/agRPwp8.png) +![image](https://imgur.com/XnOUZsV.png) ## Code of CWE-22 in ovaa.apk -We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to -explain the vulnerability code of CWE-22. +We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to explain the vulnerability code of CWE-22. -![image](https://imgur.com/WFpfzFk.png) +![image](https://imgur.com/bgWgeT7.png) -## Quark Script: CWE-22.py +## CWE-22 Detection Process Using Quark Script API + +![image](https://imgur.com/D852ZLV.png) + +Let's use the above APIs to show how the Quark script finds this vulnerability. -Let's use the above APIs to show how the Quark script finds this -vulnerability. +First, we design a detection rule `accessFileInExternalDir.json` to spot behavior accessing a file in an external directory. -First, we design a detection rule `accessFileInExternalDir.json` to spot -behavior accessing a file in an external directory. +Next, we use API `methodInstance.getArguments()` to get the argument for the file path and use `quarkResultInstance.isHardcoded(argument)` to check if the argument is hardcoded into the APK. If **No**, the argument is from external input. -Next, we use API `methodInstance.getArguments()` to get the argument for -the file path and use `quarkResultInstance.isHardcoded(argument)` to -check if the argument is hardcoded into the APK. If No, the argument is -from external input. +Finally, we use Quark API `quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)` to check if there are any APIs in the caller method for string matching. If **NO**, the APK does not neutralize special elements within the argument, which may cause CWE-22 vulnerability. + +## Quark Script: CWE-22.py -Finally, we use Quark API -`quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)` to -check if there are any APIs in the caller method for string matching. If -NO, the APK does not neutralize special elements within the argument, -which may cause CWE-22 vulnerability. +![image](https://imgur.com/4b2e4tN.png) -``` python +```python from quark.script import runQuarkAnalysis, Rule SAMPLE_PATH = "ovaa.apk" @@ -57,6 +51,7 @@ ruleInstance = Rule(RULE_PATH) quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance) for accessExternalDir in quarkResult.behaviorOccurList: + filePath = accessExternalDir.secondAPI.getArguments()[2] if quarkResult.isHardcoded(filePath): @@ -64,18 +59,18 @@ for accessExternalDir in quarkResult.behaviorOccurList: caller = accessExternalDir.methodCaller strMatchingAPIs = [ - api - for api in STRING_MATCHING_API - if quarkResult.findMethodInCaller(caller, api) + api for api in STRING_MATCHING_API if quarkResult.findMethodInCaller( + caller, api) ] if not strMatchingAPIs: print(f"CWE-22 is detected in method, {caller.fullName}") ``` - ## Quark Rule: accessFileInExternalDir.json -``` json +![image](https://imgur.com/N2uKsZj.png) + +```json { "crime": "Access a file in an external directory", "permission": [], @@ -98,7 +93,7 @@ for accessExternalDir in quarkResult.behaviorOccurList: ## Quark Script Result -``` TEXT +``` $ python3 CWE-22.py CWE-22 is detected in method, Loversecured/ovaa/providers/TheftOverwriteProvider; openFile (Landroid/net/Uri; Ljava/lang/String;)Landroid/os/ParcelFileDescriptor; -``` +``` \ No newline at end of file diff --git a/CWE-22/accessFileInExternalDir.json b/CWE-22/accessFileInExternalDir.json index 5466aa3..d537258 100644 --- a/CWE-22/accessFileInExternalDir.json +++ b/CWE-22/accessFileInExternalDir.json @@ -16,4 +16,3 @@ "score": 1, "label": [] } - diff --git a/CWE-23/CWE-23.py b/CWE-23/CWE-23.py index 1a6870a..05701e9 100644 --- a/CWE-23/CWE-23.py +++ b/CWE-23/CWE-23.py @@ -35,5 +35,3 @@ if not strMatchingAPIs: print(f"CWE-23 is detected in method, {caller.fullName}") - elif strMatchingAPIs.find("..") == -1: - print(f"CWE-23 is detected in method, {caller.fullName}") \ No newline at end of file diff --git a/CWE-23/README.md b/CWE-23/README.md index 4570fc8..cd57d50 100644 --- a/CWE-23/README.md +++ b/CWE-23/README.md @@ -1,47 +1,38 @@ # Detect CWE-23 in Android Application -This scenario aims to demonstrate the detection of the **Relative Path -Traversal** vulnerability. +This scenario aims to demonstrate the detection of the **Relative Path Traversal** vulnerability. ## CWE-23: Relative Path Traversal We analyze the definition of CWE-23 and identify its characteristics. -See [CWE-23](https://cwe.mitre.org/data/definitions/23.html) for more -details. +See [CWE-23](https://cwe.mitre.org/data/definitions/23.html) for more details. -![image](https://imgur.com/YS9umQp.png) +![image](https://imgur.com/k4UPsKO.png) ## Code of CWE-23 in ovaa.apk -We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to -explain the vulnerability code of CWE-23. +We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to explain the vulnerability code of CWE-23. -![image](https://imgur.com/GosANyj.png) +![image](https://imgur.com/KT277GG.png) -## Quark Script: CWE-23.py +## CWE-23 Detection Process Using Quark Script API + +![image](https://imgur.com/D852ZLV.png) + +Let’s use the above APIs to show how the Quark script finds this vulnerability. -Let's use the above APIs to show how the Quark script finds this -vulnerability. +To begin with, we create a detection rule named ``accessFileInExternalDir.json`` to identify behavior that accesses a file in an external directory. -To begin with, we will create a detection rule named -`accessFileInExternalDir.json` to identify behavior that accesses a file -in an external directory. +Next, we use ``methodInstance.getArguments()`` to retrieve the file path argument and check whether it belongs to the APK. If it does not belong to the APK, the argument is likely from external input. -Next, we will use `methodInstance.getArguments()` to retrieve the file -path argument and check whether it belongs to the APK or not. If it does -not belong to the APK, the argument is likely from external input. +Then, we use the Quark Script API ``quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)`` to search for any APIs in the caller method that are used to match strings. If no API is found, that implies the APK does not neutralize special elements within the argument, possibly resulting in CWE-23 vulnerability. + +## Quark Script: CWE-23.py -Finally, we will use the Quark API -`quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)` to -search for any APIs in the caller method that match the string. If no -matching API is found, the APK does not neutralize special elements -within the argument, which may result in the CWE-23 vulnerability. If a -matching API is found, we will verify whether it neutralizes the -Relative Path string or not. If it does not neutralize it, the APK may -still be vulnerable to CWE-23. +![image](https://imgur.com/lk1C4CX.jpg) -``` python +```python from quark.script import runQuarkAnalysis, Rule SAMPLE_PATH = "ovaa.apk" @@ -79,27 +70,27 @@ for accessExternalDir in quarkResult.behaviorOccurList: if not strMatchingAPIs: print(f"CWE-23 is detected in method, {caller.fullName}") - elif strMatchingAPIs.find("..") == -1: - print(f"CWE-23 is detected in method, {caller.fullName}") ``` ## Quark Rule: accessFileInExternalDir.json -``` json +![image](https://imgur.com/N2uKsZj.png) + +```json { "crime": "Access a file in an external directory", "permission": [], "api": [ - { - "class": "Landroid/os/Environment;", - "method": "getExternalStorageDirectory", - "descriptor": "()Ljava/io/File;" - }, - { - "class": "Ljava/io/File;", - "method": "", - "descriptor": "(Ljava/io/File;Ljava/lang/String;)V" - } + { + "class": "Landroid/os/Environment;", + "method": "getExternalStorageDirectory", + "descriptor": "()Ljava/io/File;" + }, + { + "class": "Ljava/io/File;", + "method": "", + "descriptor": "(Ljava/io/File;Ljava/lang/String;)V" + } ], "score": 1, "label": [] @@ -108,7 +99,7 @@ for accessExternalDir in quarkResult.behaviorOccurList: ## Quark Script Result -``` TEXT +``` $ python3 CWE-23.py CWE-23 is detected in method, Loversecured/ovaa/providers/TheftOverwriteProvider; openFile (Landroid/net/Uri; Ljava/lang/String;)Landroid/os/ParcelFileDescriptor; -``` +``` \ No newline at end of file diff --git a/CWE-23/accessFileInExternalDir.json b/CWE-23/accessFileInExternalDir.json index 1596d41..d537258 100644 --- a/CWE-23/accessFileInExternalDir.json +++ b/CWE-23/accessFileInExternalDir.json @@ -5,7 +5,7 @@ { "class": "Landroid/os/Environment;", "method": "getExternalStorageDirectory", - "descriptor": "()Ljava/io/File" + "descriptor": "()Ljava/io/File;" }, { "class": "Ljava/io/File;", diff --git a/CWE-78/CWE-78.py b/CWE-78/CWE-78.py index c09362c..14480d1 100644 --- a/CWE-78/CWE-78.py +++ b/CWE-78/CWE-78.py @@ -9,7 +9,11 @@ ("Ljava/lang/String;", "indexOf", "(I)I"), ("Ljava/lang/String;", "indexOf", "(Ljava/lang/String;)I"), ("Ljava/lang/String;", "matches", "(Ljava/lang/String;)Z"), - ("Ljava/lang/String;", "replaceAll", "(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;") + ( + "Ljava/lang/String;", + "replaceAll", + "(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;", + ), ]) specialElementsPattern = r"[ ;|,>`]+" @@ -28,4 +32,4 @@ if methodCalled.intersection(STRING_MATCHING_API) and not ExternalStringCommand.hasString(specialElementsPattern): continue else: - print(f"CWE-78 is detected in method, {caller.fullName}") \ No newline at end of file + print(f"CWE-78 is detected in method, {caller.fullName}") diff --git a/CWE-78/README.md b/CWE-78/README.md index 93fb5e9..7fcc837 100644 --- a/CWE-78/README.md +++ b/CWE-78/README.md @@ -1,42 +1,40 @@ # Detect CWE-78 in Android Application -This scenario seeks to find **Improper Neutralization of Special -Elements used in an OS Command** in the APK file. +This scenario seeks to find **Improper Neutralization of Special Elements used in an OS Command** in the APK file. -## CWE-78 Improper Neutralization of Special Elements used in an OS Command (\'OS Command Injection\') +## CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') We analyze the definition of CWE-78 and identify its characteristics. -See [CWE-78](https://cwe.mitre.org/data/definitions/78.html) for more -details. +See [CWE-78](https://cwe.mitre.org/data/definitions/78.html) for more details. -![image](https://imgur.com/aUB195P.png) +![image](https://imgur.com/HpMGGsO.png) ## Code of CWE-78 in Vuldroid.apk -We use the [Vuldroid.apk](https://github.com/jaiswalakshansh/Vuldroid) -sample to explain the vulnerability code of CWE-78. +We use the [Vuldroid.apk](https://github.com/jaiswalakshansh/Vuldroid) sample to explain the vulnerability code of CWE-78. -![image](https://imgur.com/hO6m3Bz.png) +![image](https://imgur.com/7Tu0Y3H.png) -## Quark Script: CWE-78.py +## CWE-78 Detection Process Using Quark Script API + +![image](https://imgur.com/Hi7qGjw.png) + +Let’s use the above APIs to show how the Quark script finds this vulnerability. -Let's use the above APIs to show how the Quark script finds this -vulnerability. +First, we design a detection rule `ExternalStringsCommands.json` to spot on behavior using external strings as commands. -First, we design a detection rule `ExternalStringsCommands.json` to spot -on behavior using external strings as commands. +Next, we use Quark API `behaviorInstance.getMethodsInArgs()` to get the methods that passed the external command. -Next, we use Quark API `behaviorInstance.getMethodsInArgs()` to get the -methods that passed the external command. +Then we check if the method neutralizes any special elements in the argument. -Then we check if the method neutralizes any special elements found in -the argument. +If the neutralization is not complete, then it may cause CWE-78 vulnerability. + +## Quark Script: CWE-78.py -If the neutralization is not complete, then it may cause CWE-78 -vulnerability. +![image](https://imgur.com/UpRWgGe.png) -``` python +```python from quark.script import runQuarkAnalysis, Rule, findMethodInAPK SAMPLE_PATH = "Vuldroid.apk" @@ -48,7 +46,11 @@ STRING_MATCHING_API = set([ ("Ljava/lang/String;", "indexOf", "(I)I"), ("Ljava/lang/String;", "indexOf", "(Ljava/lang/String;)I"), ("Ljava/lang/String;", "matches", "(Ljava/lang/String;)Z"), - ("Ljava/lang/String;", "replaceAll", "(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;") + ( + "Ljava/lang/String;", + "replaceAll", + "(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;", + ), ]) specialElementsPattern = r"[ ;|,>`]+" @@ -69,10 +71,12 @@ for ExternalStringCommand in quarkResult.behaviorOccurList: else: print(f"CWE-78 is detected in method, {caller.fullName}") ``` - + ## Quark Rule: ExternalStringCommand.json -``` json +![image](https://imgur.com/eoV8hnZ.png) + +```json { "crime": "Using external strings as commands", "permission": [], @@ -95,9 +99,7 @@ for ExternalStringCommand in quarkResult.behaviorOccurList: ## Quark Script Result -- **Vuldroid.apk** - -``` TEXT +``` $ python3 CWE-78.py CWE-78 is detected in method, Lcom/vuldroid/application/RootDetection; onCreate (Landroid/os/Bundle;)V -``` +``` \ No newline at end of file