Skip to content

Optimize the document of Quark Script CWE-23 #52

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 2 commits into from
Closed

Optimize the document of Quark Script CWE-23 #52

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
15b8ffc
Optimize the document of Quark Script CWE-23
JerryTasi Feb 14, 2025
b43dd2e
Optimize the document of Quark Script CWE-23
JerryTasi Feb 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions CWE-23/CWE-23.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,5 +35,3 @@

if not strMatchingAPIs:
print(f"CWE-23 is detected in method, {caller.fullName}")
elif strMatchingAPIs.find("..") == -1:
print(f"CWE-23 is detected in method, {caller.fullName}")
71 changes: 31 additions & 40 deletions CWE-23/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,47 +1,38 @@
# Detect CWE-23 in Android Application

This scenario aims to demonstrate the detection of the **Relative Path
Traversal** vulnerability.
This scenario aims to demonstrate the detection of the **Relative Path Traversal** vulnerability.

## CWE-23: Relative Path Traversal

We analyze the definition of CWE-23 and identify its characteristics.

See [CWE-23](https://cwe.mitre.org/data/definitions/23.html) for more
details.
See [CWE-23](https://cwe.mitre.org/data/definitions/23.html) for more details.

![image](https://imgur.com/YS9umQp.png)
![image](https://imgur.com/k4UPsKO.png)

## Code of CWE-23 in ovaa.apk

We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to
explain the vulnerability code of CWE-23.
We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to explain the vulnerability code of CWE-23.

![image](https://imgur.com/GosANyj.png)
![image](https://imgur.com/KT277GG.png)

## Quark Script: CWE-23.py
## CWE-23 Detection Process Using Quark Script API

![image](https://imgur.com/D852ZLV.png)

Let’s use the above APIs to show how the Quark script finds this vulnerability.

To begin with, we create a detection rule named ``accessFileInExternalDir.json`` to identify behavior that accesses a file in an external directory.

Let's use the above APIs to show how the Quark script finds this
vulnerability.
Next, we use ``methodInstance.getArguments()`` to retrieve the file path argument and check whether it belongs to the APK. If it does not belong to the APK, the argument is likely from external input.

To begin with, we will create a detection rule named
`accessFileInExternalDir.json` to identify behavior that accesses a file
in an external directory.
Then, we use the Quark Script API ``quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)`` to search for any APIs in the caller method that are used to match strings. If no API is found, that implies the APK does not neutralize special elements within the argument, possibly resulting in CWE-23 vulnerability.

Next, we will use `methodInstance.getArguments()` to retrieve the file
path argument and check whether it belongs to the APK or not. If it does
not belong to the APK, the argument is likely from external input.
## Quark Script: CWE-23.py

Finally, we will use the Quark API
`quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)` to
search for any APIs in the caller method that match the string. If no
matching API is found, the APK does not neutralize special elements
within the argument, which may result in the CWE-23 vulnerability. If a
matching API is found, we will verify whether it neutralizes the
Relative Path string or not. If it does not neutralize it, the APK may
still be vulnerable to CWE-23.
![image](https://imgur.com/lk1C4CX.jpg)

``` python
```python
from quark.script import runQuarkAnalysis, Rule

SAMPLE_PATH = "ovaa.apk"
Expand Down Expand Up @@ -79,27 +70,27 @@ for accessExternalDir in quarkResult.behaviorOccurList:

if not strMatchingAPIs:
print(f"CWE-23 is detected in method, {caller.fullName}")
elif strMatchingAPIs.find("..") == -1:
print(f"CWE-23 is detected in method, {caller.fullName}")
```

## Quark Rule: accessFileInExternalDir.json

``` json
![image](https://imgur.com/N2uKsZj.png)

```json
{
"crime": "Access a file in an external directory",
"permission": [],
"api": [
{
"class": "Landroid/os/Environment;",
"method": "getExternalStorageDirectory",
"descriptor": "()Ljava/io/File;"
},
{
"class": "Ljava/io/File;",
"method": "<init>",
"descriptor": "(Ljava/io/File;Ljava/lang/String;)V"
}
{
"class": "Landroid/os/Environment;",
"method": "getExternalStorageDirectory",
"descriptor": "()Ljava/io/File;"
},
{
"class": "Ljava/io/File;",
"method": "<init>",
"descriptor": "(Ljava/io/File;Ljava/lang/String;)V"
}
],
"score": 1,
"label": []
Expand All @@ -108,7 +99,7 @@ for accessExternalDir in quarkResult.behaviorOccurList:

## Quark Script Result

``` TEXT
```
$ python3 CWE-23.py
CWE-23 is detected in method, Loversecured/ovaa/providers/TheftOverwriteProvider; openFile (Landroid/net/Uri; Ljava/lang/String;)Landroid/os/ParcelFileDescriptor;
```