Add CWE-78 and fix CWE-88 Quark Script (#29)

LiangPPP · web-flow · commit d5c7799c89af · 2023-06-17T19:58:07.000+08:00
diff --git a/CWE-78/CWE-78.py b/CWE-78/CWE-78.py
@@ -0,0 +1,31 @@
+from quark.script import runQuarkAnalysis, Rule, findMethodInAPK
+
+SAMPLE_PATH = "Vuldroid.apk"
+RULE_PATH = "ExternalStringCommand.json"
+
+
+STRING_MATCHING_API = set([
+    ("Ljava/lang/String;", "contains", "(Ljava/lang/CharSequence)Z"),
+    ("Ljava/lang/String;", "indexOf", "(I)I"),
+    ("Ljava/lang/String;", "indexOf", "(Ljava/lang/String;)I"),
+    ("Ljava/lang/String;", "matches", "(Ljava/lang/String;)Z"),
+    ("Ljava/lang/String;", "replaceAll", "(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;")
+])
+
+specialElementsPattern = r"[ ;|,>`]+"
+
+ruleInstance = Rule(RULE_PATH)
+quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)
+
+for ExternalStringCommand in quarkResult.behaviorOccurList:
+
+    methodCalled = set()
+    caller = ExternalStringCommand.methodCaller
+
+    for method in ExternalStringCommand.getMethodsInArgs():
+        methodCalled.add(method.fullName)
+
+    if methodCalled.intersection(STRING_MATCHING_API) and not ExternalStringCommand.hasString(specialElementsPattern):
+        continue
+    else:
+        print(f"CWE-78 is detected in method, {caller.fullName}")
diff --git a/CWE-78/ExternalStringCommand.json b/CWE-78/ExternalStringCommand.json
@@ -0,0 +1,18 @@
+{
+    "crime": "Using external strings as commands",
+    "permission": [],
+    "api": [
+        {
+            "class": "Landroid/content/Intent;",
+            "method": "getStringExtra",
+            "descriptor": "(Ljava/lang/String;)Ljava/lang/String"
+        },
+        {
+            "class": "Ljava/lang/Runtime;",
+            "method": "exec",
+            "descriptor": "(Ljava/lang/String;)Ljava/lang/Process"
+        }
+    ],
+    "score": 1,
+    "label": []
+}
diff --git a/CWE-78/README.md b/CWE-78/README.md
@@ -0,0 +1,87 @@
+Detect CWE-78 in Android Application (Vuldroid.apk )
+-----------------------------------------------------------------------
+This scenario seeks to find **Improper Neutralization of Special Elements used in an OS Command**. See [CWE-78](https://cwe.mitre.org/data/definitions/78.html) for more details.
+
+Let’s use this [APK](https://github.com/jaiswalakshansh/Vuldroid) and the above APIs to show how the Quark script finds this vulnerability.
+
+First, we design a detection rule ``ExternalStringsCommands.json`` to spot on behavior using external strings as commands.
+
+Next, we use Quark API ``behaviorInstance.getMethodsInArgs()`` to get the methods that passed the external command.
+
+Then we check if the method neutralizes any special elements found in the argument.
+
+If the neutralization is not complete, then it may cause CWE-78 vulnerability.
+
+
+Quark Script CWE-78.py
+=======================
+
+The Quark Script below uses Vuldroid.apk to demonstrate.
+
+``` python
+from quark.script import runQuarkAnalysis, Rule, findMethodInAPK
+
+SAMPLE_PATH = "Vuldroid.apk"
+RULE_PATH = "ExternalStringCommand.json"
+
+
+STRING_MATCHING_API = set([
+    ("Ljava/lang/String;", "contains", "(Ljava/lang/CharSequence)Z"),
+    ("Ljava/lang/String;", "indexOf", "(I)I"),
+    ("Ljava/lang/String;", "indexOf", "(Ljava/lang/String;)I"),
+    ("Ljava/lang/String;", "matches", "(Ljava/lang/String;)Z"),
+    ("Ljava/lang/String;", "replaceAll", "(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;")
+])
+
+specialElementsPattern = r"[ ;|,>`]+"
+
+ruleInstance = Rule(RULE_PATH)
+quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)
+
+for ExternalStringCommand in quarkResult.behaviorOccurList:
+
+    methodCalled = set()
+    caller = ExternalStringCommand.methodCaller
+
+    for method in ExternalStringCommand.getMethodsInArgs():
+        methodCalled.add(method.fullName)
+
+    if methodCalled.intersection(STRING_MATCHING_API) and not ExternalStringCommand.hasString(specialElementsPattern):
+        continue
+    else:
+        print(f"CWE-78 is detected in method, {caller.fullName}")
+
+```
+                
+Quark Rule: ExternalStringCommand.json
+=========================================
+
+```json
+{
+    "crime": "Using external strings as commands",
+    "permission": [],
+    "api": [
+        {
+            "class": "Landroid/content/Intent;",
+            "method": "getStringExtra",
+            "descriptor": "(Ljava/lang/String;)Ljava/lang/String"
+        },
+        {
+            "class": "Ljava/lang/Runtime;",
+            "method": "exec",
+            "descriptor": "(Ljava/lang/String;)Ljava/lang/Process"
+        }
+    ],
+    "score": 1,
+    "label": []
+}
+```
+
+Quark Script Result
+======================
+- **Vuldroid.apk**
+
+```
+$ python3 CWE-78.py
+CWE-78 is detected in method, Lcom/vuldroid/application/RootDetection; onCreate (Landroid/os/Bundle;)V
+```
diff --git a/CWE-88/CWE-88.py b/CWE-88/CWE-88.py
@@ -1,32 +1,31 @@
-from quark.script import runQuarkAnalysis, Rule
+from quark.script import runQuarkAnalysis, Rule, findMethodInAPK
 
 SAMPLE_PATH = "Vuldroid.apk"
 RULE_PATH = "ExternalStringCommand.json"
 
 
-STRING_MATCHING_API = [
-    ["Ljava/lang/String;", "contains", "(Ljava/lang/CharSequence)Z"],
-    ["Ljava/lang/String;", "indexOf", "(I)I"],
-    ["Ljava/lang/String;", "indexOf", "(Ljava/lang/String;)I"],
-    ["Ljava/lang/String;", "matches", "(Ljava/lang/String;)Z"],
-    ["Ljava/lang/String;", "replaceAll",
-        "(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;"],
-]
+STRING_MATCHING_API = set([
+    ("Ljava/lang/String;", "contains", "(Ljava/lang/CharSequence)Z"),
+    ("Ljava/lang/String;", "indexOf", "(I)I"),
+    ("Ljava/lang/String;", "indexOf", "(Ljava/lang/String;)I"),
+    ("Ljava/lang/String;", "matches", "(Ljava/lang/String;)Z"),
+    ("Ljava/lang/String;", "replaceAll", "(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;")
+])
 
-delimiters = [' ', ';', '||', '|', ',', '>', '>>', '`']
+delimeter = "-"
 
 ruleInstance = Rule(RULE_PATH)
 quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)
 
 for ExternalStringCommand in quarkResult.behaviorOccurList:
 
+    methodCalled = set()
     caller = ExternalStringCommand.methodCaller
 
-    strMatchingAPIs = [
-        api for api in STRING_MATCHING_API if
-        quarkResult.findMethodInCaller(caller, api)
-    ]
+    for method in ExternalStringCommand.getMethodsInArgs():
+        methodCalled.add(method.fullName)
 
-    if not strMatchingAPIs or \
-            any(dlm not in strMatchingAPIs for dlm in delimiters):
+    if methodCalled.intersection(STRING_MATCHING_API) and not ExternalStringCommand.hasString(delimeter):
+        continue
+    else:
         print(f"CWE-88 is detected in method, {caller.fullName}")
diff --git a/CWE-88/README.md b/CWE-88/README.md
@@ -1,4 +1,3 @@
-CWE-88
 Detect CWE-88 in Android Application (Vuldroid.apk )
 -----------------------------------------------------------------------
 This scenario seeks to find **Improper Neutralization of Argument Delimiters in a Command**. See [CWE-88](https://cwe.mitre.org/data/definitions/88.html) for more details.
@@ -7,11 +6,11 @@ Let’s use this [APK](https://github.com/jaiswalakshansh/Vuldroid) and the abov
 
 First, we design a detection rule ``ExternalStringsCommands.json`` to spot on behavior using external strings as commands.
 
-Next, we use Quark API ``quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)`` to check if any APIs in the caller method for string matching. 
+Next, we use Quark API ``behaviorInstance.getMethodsInArgs()`` to get the methods that passed the external command.
 
-If NO, the APK does not neutralize special elements within the argument, which may cause CWE-88 vulnerability. 
+Then we check if the method neutralizes any special elements found in the argument.
 
-If YES, check if there are any delimiters used in string matching for a filter. If NO, the APK does not neutralize special elements within the argument, which may cause CWE-88 vulnerability. 
+If the neutralization is not complete, then it may cause CWE-88 vulnerability.
 
 
 Quark Script CWE-88.py
@@ -20,37 +19,36 @@ Quark Script CWE-88.py
 The Quark Script below uses Vuldroid.apk to demonstrate.
 
 ``` python
-from quark.script import runQuarkAnalysis, Rule
+from quark.script import runQuarkAnalysis, Rule, findMethodInAPK
 
 SAMPLE_PATH = "Vuldroid.apk"
 RULE_PATH = "ExternalStringCommand.json"
 
 
-STRING_MATCHING_API = [
-    ["Ljava/lang/String;", "contains", "(Ljava/lang/CharSequence)Z"],
-    ["Ljava/lang/String;", "indexOf", "(I)I"],
-    ["Ljava/lang/String;", "indexOf", "(Ljava/lang/String;)I"],
-    ["Ljava/lang/String;", "matches", "(Ljava/lang/String;)Z"],
-    ["Ljava/lang/String;", "replaceAll",
-        "(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;"],
-]
+STRING_MATCHING_API = set([
+    ("Ljava/lang/String;", "contains", "(Ljava/lang/CharSequence)Z"),
+    ("Ljava/lang/String;", "indexOf", "(I)I"),
+    ("Ljava/lang/String;", "indexOf", "(Ljava/lang/String;)I"),
+    ("Ljava/lang/String;", "matches", "(Ljava/lang/String;)Z"),
+    ("Ljava/lang/String;", "replaceAll", "(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;")
+])
 
-delimiters = [' ', ';', '||', '|', ',', '>', '>>', '`']
+delimeter = "-"
 
 ruleInstance = Rule(RULE_PATH)
 quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)
 
 for ExternalStringCommand in quarkResult.behaviorOccurList:
 
+    methodCalled = set()
     caller = ExternalStringCommand.methodCaller
 
-    strMatchingAPIs = [
-        api for api in STRING_MATCHING_API if
-        quarkResult.findMethodInCaller(caller, api)
-    ]
+    for method in ExternalStringCommand.getMethodsInArgs():
+        methodCalled.add(method.fullName)
 
-    if not strMatchingAPIs or \
-            any(dlm not in strMatchingAPIs for dlm in delimiters):
+    if methodCalled.intersection(STRING_MATCHING_API) and not ExternalStringCommand.hasString(delimeter):
+        continue
+    else:
         print(f"CWE-88 is detected in method, {caller.fullName}")
 
 ```
