From 15b8ffc3468928f9187d8a0deca36d032d1149bd Mon Sep 17 00:00:00 2001 From: ZhiH <127014343+JerryTasi@users.noreply.github.com> Date: Fri, 14 Feb 2025 16:03:11 +0800 Subject: [PATCH 1/2] Optimize the document of Quark Script CWE-23 --- CWE-23/README.md | 71 +++++++++++++++++++++--------------------------- 1 file changed, 31 insertions(+), 40 deletions(-) diff --git a/CWE-23/README.md b/CWE-23/README.md index 4570fc8..c479896 100644 --- a/CWE-23/README.md +++ b/CWE-23/README.md @@ -1,47 +1,38 @@ # Detect CWE-23 in Android Application -This scenario aims to demonstrate the detection of the **Relative Path -Traversal** vulnerability. +This scenario aims to demonstrate the detection of the **Relative Path Traversal** vulnerability. ## CWE-23: Relative Path Traversal We analyze the definition of CWE-23 and identify its characteristics. -See [CWE-23](https://cwe.mitre.org/data/definitions/23.html) for more -details. +See [CWE-23](https://cwe.mitre.org/data/definitions/23.html) for more details. -![image](https://imgur.com/YS9umQp.png) +![image](https://imgur.com/k4UPsKO.png) ## Code of CWE-23 in ovaa.apk -We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to -explain the vulnerability code of CWE-23. +We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to explain the vulnerability code of CWE-23. -![image](https://imgur.com/GosANyj.png) +![image](https://imgur.com/KT277GG.png) -## Quark Script: CWE-23.py +## CWE-23 Detection Process Using Quark Script API + +![image](https://imgur.com/D852ZLV.png) + +Let’s use the above APIs to show how the Quark script finds this vulnerability. + +To begin with, we create a detection rule named ``accessFileInExternalDir.json`` to identify behavior that accesses a file in an external directory. -Let's use the above APIs to show how the Quark script finds this -vulnerability. +Next, we use ``methodInstance.getArguments()`` to retrieve the file path argument and check whether it belongs to the APK. If it does not belong to the APK, the argument is likely from external input. -To begin with, we will create a detection rule named -`accessFileInExternalDir.json` to identify behavior that accesses a file -in an external directory. +Then, we use the Quark Script API ``quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)`` to search for any APIs in the caller method that are used to match strings. If no API is found, that implies the APK does not neutralize special elements within the argument, possibly resulting in CWE-23 vulnerability. -Next, we will use `methodInstance.getArguments()` to retrieve the file -path argument and check whether it belongs to the APK or not. If it does -not belong to the APK, the argument is likely from external input. +## Quark Script: CWE-23.py -Finally, we will use the Quark API -`quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)` to -search for any APIs in the caller method that match the string. If no -matching API is found, the APK does not neutralize special elements -within the argument, which may result in the CWE-23 vulnerability. If a -matching API is found, we will verify whether it neutralizes the -Relative Path string or not. If it does not neutralize it, the APK may -still be vulnerable to CWE-23. +![image](https://imgur.com/lk1C4CX.jpg) -``` python +```python from quark.script import runQuarkAnalysis, Rule SAMPLE_PATH = "ovaa.apk" @@ -79,27 +70,27 @@ for accessExternalDir in quarkResult.behaviorOccurList: if not strMatchingAPIs: print(f"CWE-23 is detected in method, {caller.fullName}") - elif strMatchingAPIs.find("..") == -1: - print(f"CWE-23 is detected in method, {caller.fullName}") ``` ## Quark Rule: accessFileInExternalDir.json -``` json +![image](https://imgur.com/N2uKsZj.png) + +```json { "crime": "Access a file in an external directory", "permission": [], "api": [ - { - "class": "Landroid/os/Environment;", - "method": "getExternalStorageDirectory", - "descriptor": "()Ljava/io/File;" - }, - { - "class": "Ljava/io/File;", - "method": "", - "descriptor": "(Ljava/io/File;Ljava/lang/String;)V" - } + { + "class": "Landroid/os/Environment;", + "method": "getExternalStorageDirectory", + "descriptor": "()Ljava/io/File;" + }, + { + "class": "Ljava/io/File;", + "method": "", + "descriptor": "(Ljava/io/File;Ljava/lang/String;)V" + } ], "score": 1, "label": [] @@ -108,7 +99,7 @@ for accessExternalDir in quarkResult.behaviorOccurList: ## Quark Script Result -``` TEXT +``` $ python3 CWE-23.py CWE-23 is detected in method, Loversecured/ovaa/providers/TheftOverwriteProvider; openFile (Landroid/net/Uri; Ljava/lang/String;)Landroid/os/ParcelFileDescriptor; ``` From b43dd2e43b51efab5f3761f818587215944560c2 Mon Sep 17 00:00:00 2001 From: ZhiH <127014343+JerryTasi@users.noreply.github.com> Date: Fri, 14 Feb 2025 16:05:10 +0800 Subject: [PATCH 2/2] Optimize the document of Quark Script CWE-23 Remove the last two lines --- CWE-23/CWE-23.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/CWE-23/CWE-23.py b/CWE-23/CWE-23.py index 1a6870a..05701e9 100644 --- a/CWE-23/CWE-23.py +++ b/CWE-23/CWE-23.py @@ -35,5 +35,3 @@ if not strMatchingAPIs: print(f"CWE-23 is detected in method, {caller.fullName}") - elif strMatchingAPIs.find("..") == -1: - print(f"CWE-23 is detected in method, {caller.fullName}") \ No newline at end of file