From bfdf2d9b2e1a04ad7f5a42ed42f4c91c2b686120 Mon Sep 17 00:00:00 2001 From: ZhiH Date: Mon, 11 Aug 2025 11:53:20 +0800 Subject: [PATCH 1/4] Optimize the document of Quark Script CWE-502, 1204, 24 --- CWE-1204/CWE-1204.py | 20 +++++ CWE-1204/README.md | 89 ++++++++++++++++++++++ CWE-1204/initializeCipherWithIV.json | 18 +++++ CWE-24/CWE-24.py | 37 +++++++++ CWE-24/README.md | 107 +++++++++++++++++++++++++++ CWE-24/accessFileInExternalDir.json | 18 +++++ CWE-502/CWE-502.py | 2 +- CWE-502/README.md | 47 ++++++------ CWE-502/deserializeData.json | 2 +- 9 files changed, 313 insertions(+), 27 deletions(-) create mode 100644 CWE-1204/CWE-1204.py create mode 100644 CWE-1204/README.md create mode 100644 CWE-1204/initializeCipherWithIV.json create mode 100644 CWE-24/CWE-24.py create mode 100644 CWE-24/README.md create mode 100644 CWE-24/accessFileInExternalDir.json diff --git a/CWE-1204/CWE-1204.py b/CWE-1204/CWE-1204.py new file mode 100644 index 0000000..0e30929 --- /dev/null +++ b/CWE-1204/CWE-1204.py @@ -0,0 +1,20 @@ +from quark.script import runQuarkAnalysis, Rule + +SAMPLE_PATH = "InsecureBankv2.apk" +RULE_PATH = "initializeCipherWithIV.json" + +randomAPIs = [ + ["Ljava/security/SecureRandom", "next", "(I)I"], + ["Ljava/security/SecureRandom", "nextBytes", "([B)V"], +] + +ruleInstance = Rule(RULE_PATH) +quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance) + +for initCipherWithIV in quarkResult.behaviorOccurList: + methodcaller = initCipherWithIV.methodCaller + + if not any( + initCipherWithIV.isArgFromMethod(api) for api in randomAPIs + ): + print(f"CWE-1204 is detected in method, {methodcaller.fullName}") diff --git a/CWE-1204/README.md b/CWE-1204/README.md new file mode 100644 index 0000000..ce579b0 --- /dev/null +++ b/CWE-1204/README.md @@ -0,0 +1,89 @@ +# Detect CWE-1204 in Android Application + +This scenario seeks to find **Generation of Weak Initialization Vector (IV)**. + +## CWE-1204: Generation of Weak Initialization Vector (IV) + +We analyze the definition of CWE-1204 and identify its characteristics. + +See [CWE-1204](https://cwe.mitre.org/data/definitions/1204.html) for more details. + +![image](https://i.postimg.cc/3NNmYz6J/image.png) + +## Code of CWE-1204 in InsecureBankv2.apk + +We use the [InsecureBankv2.apk](https://github.com/dineshshetty/Android-InsecureBankv2) sample to explain the vulnerability code of CWE-1204. + +![image](https://i.postimg.cc/rsHWmQXG/image.png) + + +## CWE-1204 Detection Process Using Quark Script API + +![image](https://i.postimg.cc/jq3yZdwW/image.png) + +Let’s use the above APIs to show how the Quark script finds this vulnerability. + +First, we created a detection rule named `initializeCipherWithIV.json` to identify behaviors that initialize a cipher object with IV. + +Then, we use API `behaviorInstance.isArgFromMethod(targetMethod)` to check if any random API is applied on the IV used in the cipher object. If **NO**, it could imply that the APK uses a weak IV, potentially leading to a CWE-1204 vulnerability. + +## Quark Scipt: CWE-1204.py + +![image](https://i.postimg.cc/Hxs79fT4/image.png) + +```python +from quark.script import runQuarkAnalysis, Rule + +SAMPLE_PATH = "InsecureBankv2.apk" +RULE_PATH = "initializeCipherWithIV.json" + +randomAPIs = [ + ["Ljava/security/SecureRandom", "next", "(I)I"], + ["Ljava/security/SecureRandom", "nextBytes", "([B)V"], +] + +ruleInstance = Rule(RULE_PATH) +quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance) + +for initCipherWithIV in quarkResult.behaviorOccurList: + methodcaller = initCipherWithIV.methodCaller + + if not any( + initCipherWithIV.isArgFromMethod(api) for api in randomAPIs + ): + print(f"CWE-1204 is detected in method, {methodcaller.fullName}") +``` + +## Quark Rule: initializeCipherWithIV.json + +![image](https://i.postimg.cc/kGL69GKf/image.png) + +```json +{ + "crime": "Initialize a cipher object with IV", + "permission": [], + "api": [ + { + "class": "Ljavax/crypto/spec/IvParameterSpec;", + "method": "", + "descriptor": "([B)V" + }, + { + "class": "Ljavax/crypto/Cipher;", + "method": "init", + "descriptor": "(ILjava/security/Key;Ljava/security/spec/AlgorithmParameterSpec;)V" + } + ], + "score": 1, + "label": [] +} +``` + +## Quark Script Result + +```TEXT +$ python CWE-1204.py +CWE-1204 is detected in method, Lcom/android/insecurebankv2/CryptoClass; aes256encrypt ([B [B [B)[B +CWE-1204 is detected in method, Lcom/android/insecurebankv2/CryptoClass; aes256decrypt ([B [B [B)[B +CWE-1204 is detected in method, Lcom/google/android/gms/internal/zzar; zzc ([B Ljava/lang/String;)[B +``` \ No newline at end of file diff --git a/CWE-1204/initializeCipherWithIV.json b/CWE-1204/initializeCipherWithIV.json new file mode 100644 index 0000000..5d6f593 --- /dev/null +++ b/CWE-1204/initializeCipherWithIV.json @@ -0,0 +1,18 @@ +{ + "crime": "Initialize a cipher object with IV", + "permission": [], + "api": [ + { + "class": "Ljavax/crypto/spec/IvParameterSpec;", + "method": "", + "descriptor": "([B)V" + }, + { + "class": "Ljavax/crypto/Cipher;", + "method": "init", + "descriptor": "(ILjava/security/Key;Ljava/security/spec/AlgorithmParameterSpec;)V" + } + ], + "score": 1, + "label": [] +} diff --git a/CWE-24/CWE-24.py b/CWE-24/CWE-24.py new file mode 100644 index 0000000..93d0e15 --- /dev/null +++ b/CWE-24/CWE-24.py @@ -0,0 +1,37 @@ +from quark.script import runQuarkAnalysis, Rule + +SAMPLE_PATH = "ovaa.apk" +RULE_PATH = "accessFileInExternalDir.json" + + +STRING_MATCHING_API = [ + ["Ljava/lang/String;", "contains", "(Ljava/lang/CharSequence)Z"], + ["Ljava/lang/String;", "indexOf", "(I)I"], + ["Ljava/lang/String;", "indexOf", "(Ljava/lang/String;)I"], + ["Ljava/lang/String;", "matches", "(Ljava/lang/String;)Z"], + [ + "Ljava/lang/String;", + "replaceAll", + "(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;", + ], +] + +ruleInstance = Rule(RULE_PATH) +quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance) + +for accessExternalDir in quarkResult.behaviorOccurList: + + filePath = accessExternalDir.secondAPI.getArguments()[2] + + if quarkResult.isHardcoded(filePath): + continue + + caller = accessExternalDir.methodCaller + strMatchingAPIs = [ + api + for api in STRING_MATCHING_API + if quarkResult.findMethodInCaller(caller, api) + ] + + if not strMatchingAPIs or "../" not in accessExternalDir.getParamValues(): + print(f"CWE-24 is detected in method, {caller.fullName}") diff --git a/CWE-24/README.md b/CWE-24/README.md new file mode 100644 index 0000000..06ea873 --- /dev/null +++ b/CWE-24/README.md @@ -0,0 +1,107 @@ +# Detect CWE-24 in Android Application + +This scenario aims to demonstrate the detection of the **Relative Path Traversal** vulnerability. + +## CWE-24: Path Traversal: '../filedir' + +We analyze the definition of CWE-24 and identify its characteristics. + +See [CWE-24](https://cwe.mitre.org/data/definitions/24.html) for more details. + +![image](https://i.postimg.cc/xdQjd3M2/image.png) + +## Code of CWE-24 in ovaa.apk + +We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to explain the vulnerability code of CWE-24. + +![image](https://imgur.com/KT277GG.png) + +## CWE-24 Detection Process Using Quark Script API + +![image](https://i.postimg.cc/YCz0YPp9/image.png) + +Let’s use the above APIs to show how the Quark script finds this vulnerability. + +To begin with, we create a detection rule named ``accessFileInExternalDir.json`` to identify behavior that accesses a file in an external directory. + +Next, we use ``methodInstance.getArguments()`` to retrieve the file path argument and check whether it belongs to the APK. If it does not belong to the APK, the argument is likely from external input. + +Finally, we use the Quark Script API ``quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)`` to search for any APIs in the caller method that are used to match strings, and `getParamValues(none)` to retrieve the parameters. + +If no API is found or `"../"` is not in the parameters, that implies the APK does not neutralize the special element `../` within the argument, possibly resulting in CWE-24 vulnerability. + +## Quark Script: CWE-24.py + +![image](https://i.postimg.cc/rwfc82VS/image.png) + +```python +from quark.script import runQuarkAnalysis, Rule + +SAMPLE_PATH = "ovaa.apk" +RULE_PATH = "accessFileInExternalDir.json" + + +STRING_MATCHING_API = [ + ["Ljava/lang/String;", "contains", "(Ljava/lang/CharSequence)Z"], + ["Ljava/lang/String;", "indexOf", "(I)I"], + ["Ljava/lang/String;", "indexOf", "(Ljava/lang/String;)I"], + ["Ljava/lang/String;", "matches", "(Ljava/lang/String;)Z"], + [ + "Ljava/lang/String;", + "replaceAll", + "(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;", + ], +] + +ruleInstance = Rule(RULE_PATH) +quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance) + +for accessExternalDir in quarkResult.behaviorOccurList: + + filePath = accessExternalDir.secondAPI.getArguments()[2] + + if quarkResult.isHardcoded(filePath): + continue + + caller = accessExternalDir.methodCaller + strMatchingAPIs = [ + api + for api in STRING_MATCHING_API + if quarkResult.findMethodInCaller(caller, api) + ] + + if not strMatchingAPIs or "../" not in accessExternalDir.getParamValues(): + print(f"CWE-24 is detected in method, {caller.fullName}") +``` + +## Quark Rule: accessFileInExternalDir.json + +![image](https://i.postimg.cc/1RDQ8qRR/image.png) + +```json +{ + "crime": "Access a file in an external directory", + "permission": [], + "api": [ + { + "class": "Landroid/os/Environment;", + "method": "getExternalStorageDirectory", + "descriptor": "()Ljava/io/File;" + }, + { + "class": "Ljava/io/File;", + "method": "", + "descriptor": "(Ljava/io/File;Ljava/lang/String;)V" + } + ], + "score": 1, + "label": [] +} +``` + +## Quark Script Result + +``` +$ python3 CWE-24.py +CWE-24 is detected in method, Loversecured/ovaa/providers/TheftOverwriteProvider; openFile (Landroid/net/Uri; Ljava/lang/String;)Landroid/os/ParcelFileDescriptor; +``` \ No newline at end of file diff --git a/CWE-24/accessFileInExternalDir.json b/CWE-24/accessFileInExternalDir.json new file mode 100644 index 0000000..d537258 --- /dev/null +++ b/CWE-24/accessFileInExternalDir.json @@ -0,0 +1,18 @@ +{ + "crime": "Access a file in an external directory", + "permission": [], + "api": [ + { + "class": "Landroid/os/Environment;", + "method": "getExternalStorageDirectory", + "descriptor": "()Ljava/io/File;" + }, + { + "class": "Ljava/io/File;", + "method": "", + "descriptor": "(Ljava/io/File;Ljava/lang/String;)V" + } + ], + "score": 1, + "label": [] +} diff --git a/CWE-502/CWE-502.py b/CWE-502/CWE-502.py index b6c6f5f..d082549 100644 --- a/CWE-502/CWE-502.py +++ b/CWE-502/CWE-502.py @@ -18,4 +18,4 @@ apis = dataDeserialization.getMethodsInArgs() caller = dataDeserialization.methodCaller if not any(api in apis for api in verificationApis): - print(f"CWE-502 is detected in method, {caller.fullName}") \ No newline at end of file + print(f"CWE-502 is detected in method, {caller.fullName}") diff --git a/CWE-502/README.md b/CWE-502/README.md index 1d7ca71..04e3185 100644 --- a/CWE-502/README.md +++ b/CWE-502/README.md @@ -1,41 +1,38 @@ # Detect CWE-502 in Android Application - -This scenario seeks to find **Deserialization of Untrusted Data** in the -APK file. +This scenario seeks to find **Deserialization of Untrusted Data** in the APK file. ## CWE-502: Deserialization of Untrusted Data We analyze the definition of CWE-502 and identify its characteristics. -See [CWE-502](https://cwe.mitre.org/data/definitions/502.html) for more -details. +See [CWE-502](https://cwe.mitre.org/data/definitions/502.html) for more details. -![image](https://imgur.com/Zee9kcJ.jpg) +![image](https://i.postimg.cc/YSyQsgGf/image.png) ## Code of CWE-502 in pivaa.apk -We use the [pivaa.apk](https://github.com/htbridge/pivaa) sample to -explain the vulnerability code of CWE-502. +We use the [pivaa.apk](https://github.com/htbridge/pivaa) sample to explain the vulnerability code of CWE-502. -![image](https://imgur.com/yZl5XS3.jpg) +![image](https://i.postimg.cc/XJdXkywv/image.png) -## Quark Script CWE-502.py +## CWE-502 Detection Process Using Quark Script API + +![image](https://i.postimg.cc/mkV97HsH/image.png) -Let's use the above APIs to show how the Quark script finds this -vulnerability. +Let’s use the above APIs to show how the Quark script finds this vulnerability. -To begin with, we created a detection rule named `deserializeData.json` -to identify behaviors that deserialize data. +To begin with, we created a detection rule named ``deserializeData.json`` to identify behaviors that deserialize data. -Next, we retrieve the methods that interact with the deserialization -API. Following this, we check if there are any of the APIs in -`verificationApis` are found. +Next, we retrieve the methods that interact with the deserialization API. Following this, we check if the methods match any APIs for verifying data. -If **NO**, it could imply that the APK deserializes the untrusted data, -potentially leading to a CWE-502 vulnerability. +If **NO**, it could imply that the APK deserializes the untrusted data, potentially leading to a CWE-502 vulnerability. + +## Quark Script CWE-502.py -``` python +![image](https://i.postimg.cc/vTmXSj7g/image.png) + +```python from quark.script import runQuarkAnalysis, Rule SAMPLE_PATH = "pivaa.apk" @@ -61,7 +58,9 @@ for dataDeserialization in result.behaviorOccurList: ## Quark Rule: deserializeData.json -``` json +![image](https://i.postimg.cc/FsdDQm7r/image.png) + +```json { "crime": "Deserialize Data", "permission": [], @@ -86,9 +85,7 @@ for dataDeserialization in result.behaviorOccurList: ## Quark Script Result -- **pivaa.apk** - -``` TEXT +```TEXT $ python CWE-502.py CWE-502 is detected in method, Lcom/htbridge/pivaa/handlers/ObjectSerialization; loadObject ()V -``` +``` \ No newline at end of file diff --git a/CWE-502/deserializeData.json b/CWE-502/deserializeData.json index edd60d6..53a056e 100644 --- a/CWE-502/deserializeData.json +++ b/CWE-502/deserializeData.json @@ -12,7 +12,7 @@ "class": "Ljava/io/ObjectInputStream;", "method": "readObject", "descriptor": "()Ljava/lang/Object;" - } + } ], "score": 1, From d285906fb8651a8972964320e112e7068b66022d Mon Sep 17 00:00:00 2001 From: ZhiH Date: Mon, 11 Aug 2025 11:56:44 +0800 Subject: [PATCH 2/4] Optimize the document of Quark Script CWE-297 --- CWE-297/CWE-297.py | 18 ++++++++++++++ CWE-297/README.md | 59 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 77 insertions(+) create mode 100644 CWE-297/CWE-297.py create mode 100644 CWE-297/README.md diff --git a/CWE-297/CWE-297.py b/CWE-297/CWE-297.py new file mode 100644 index 0000000..642996f --- /dev/null +++ b/CWE-297/CWE-297.py @@ -0,0 +1,18 @@ +from quark.script import findMethodImpls, isMethodReturnAlwaysTrue + +SAMPLE_PATH = "pivaa.apk" + +ABSTRACT_METHOD = [ + "Ljavax/net/ssl/HostnameVerifier;", + "verify", + "(Ljava/lang/String; Ljavax/net/ssl/SSLSession;)Z" +] + +for hostVerification in findMethodImpls(SAMPLE_PATH, ABSTRACT_METHOD): + methodImpls = [ + hostVerification.className, + hostVerification.methodName, + hostVerification.descriptor + ] + if isMethodReturnAlwaysTrue(SAMPLE_PATH, methodImpls): + print(f"CWE-297 is detected in method, {hostVerification.fullName}") diff --git a/CWE-297/README.md b/CWE-297/README.md new file mode 100644 index 0000000..98d9bf5 --- /dev/null +++ b/CWE-297/README.md @@ -0,0 +1,59 @@ +# Detect CWE-297 in Android Application + +This scenario seeks to find **Improper Validation of Certificate with Host Mismatch**. + +## CWE-297: Improper Validation of Certificate with Host Mismatch + +We analyze the definition of CWE-297 and identify its characteristics. + +See [CWE-297](https://cwe.mitre.org/data/definitions/297.html) for more details. + +![image](https://i.postimg.cc/PrpC3vgy/image.png) + +## Code of CWE-297 in pivaa.apk + +We use the [pivaa.apk](https://github.com/htbridge/pivaa) sample to explain the vulnerability code of CWE-297. + +![image](https://i.postimg.cc/wT29kqv2/image.png) + +## CWE-297 Detection Process Using Quark Script API + +![image](https://i.postimg.cc/ryYJRWGN/image.png) + +First, we use API ``findMethodImpls(samplePath, abstractMethod)`` to locate the method that implements the hostname verification, which verifies the hostname of a certificate. + +Next, we use API ``isMethodReturnAlwaysTrue(samplePath, targetMethod)`` to check if the method always returns true. + +If the answer is **YES**, the method does not check the certificate of the host properly, which may cause CWE-297 vulnerability. + +## Quark Script CWE-297.py + +![image](https://i.postimg.cc/Dw311cSL/image.png) + +```python +from quark.script import findMethodImpls, isMethodReturnAlwaysTrue + +SAMPLE_PATH = "pivaa.apk" + +ABSTRACT_METHOD = [ + "Ljavax/net/ssl/HostnameVerifier;", + "verify", + "(Ljava/lang/String; Ljavax/net/ssl/SSLSession;)Z" +] + +for hostVerification in findMethodImpls(SAMPLE_PATH, ABSTRACT_METHOD): + methodImpls = [ + hostVerification.className, + hostVerification.methodName, + hostVerification.descriptor + ] + if isMethodReturnAlwaysTrue(SAMPLE_PATH, methodImpls): + print(f"CWE-297 is detected in method, {hostVerification.fullName}") +``` + +## Quark Script Result + +```TEXT +$ python CWE-297.py +CWE-297 is detected in method, Lcom/htbridge/pivaa/handlers/API$1; verify (Ljava/lang/String; Ljavax/net/ssl/SSLSession;)Z +``` \ No newline at end of file From 158baf02301988cdbc317bbf9c85b4ac04b34ca5 Mon Sep 17 00:00:00 2001 From: ZhiH <127014343+JerryTasi@users.noreply.github.com> Date: Thu, 14 Aug 2025 14:57:58 +0800 Subject: [PATCH 3/4] Optimize the document of Quark Script CWE-297 --- CWE-297/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CWE-297/README.md b/CWE-297/README.md index 98d9bf5..cf08e8e 100644 --- a/CWE-297/README.md +++ b/CWE-297/README.md @@ -20,7 +20,7 @@ We use the [pivaa.apk](https://github.com/htbridge/pivaa) sample to explain the ![image](https://i.postimg.cc/ryYJRWGN/image.png) -First, we use API ``findMethodImpls(samplePath, abstractMethod)`` to locate the method that implements the hostname verification, which verifies the hostname of a certificate. +First, we use API ``findMethodImpls(samplePath, targetMethod)`` to locate the method that implements the hostname verification, which verifies the hostname of a certificate. Next, we use API ``isMethodReturnAlwaysTrue(samplePath, targetMethod)`` to check if the method always returns true. @@ -56,4 +56,4 @@ for hostVerification in findMethodImpls(SAMPLE_PATH, ABSTRACT_METHOD): ```TEXT $ python CWE-297.py CWE-297 is detected in method, Lcom/htbridge/pivaa/handlers/API$1; verify (Ljava/lang/String; Ljavax/net/ssl/SSLSession;)Z -``` \ No newline at end of file +``` From 0c9fc5d6e3570ebc6c537931412f3c2e7a5ceba7 Mon Sep 17 00:00:00 2001 From: ZhiH <127014343+JerryTasi@users.noreply.github.com> Date: Thu, 14 Aug 2025 14:58:54 +0800 Subject: [PATCH 4/4] Optimize the document of Quark Script CWE-24 --- CWE-24/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CWE-24/README.md b/CWE-24/README.md index 06ea873..748d88e 100644 --- a/CWE-24/README.md +++ b/CWE-24/README.md @@ -28,7 +28,7 @@ Next, we use ``methodInstance.getArguments()`` to retrieve the file path argumen Finally, we use the Quark Script API ``quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)`` to search for any APIs in the caller method that are used to match strings, and `getParamValues(none)` to retrieve the parameters. -If no API is found or `"../"` is not in the parameters, that implies the APK does not neutralize the special element `../` within the argument, possibly resulting in CWE-24 vulnerability. +If no API is found or `"../"` is not in parameters, that implies the APK does not neutralize the special element `../` within the argument, possibly resulting in CWE-24 vulnerability. ## Quark Script: CWE-24.py @@ -104,4 +104,4 @@ for accessExternalDir in quarkResult.behaviorOccurList: ``` $ python3 CWE-24.py CWE-24 is detected in method, Loversecured/ovaa/providers/TheftOverwriteProvider; openFile (Landroid/net/Uri; Ljava/lang/String;)Landroid/os/ParcelFileDescriptor; -``` \ No newline at end of file +```