Skip to content

Files

Latest commit

1ae96d2 · Sep 18, 2024

History

History

CWE-78

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
Sep 18, 2024
Jun 17, 2023
Sep 18, 2024

Detect CWE-78 in Android Application

This scenario seeks to find Improper Neutralization of Special Elements used in an OS Command in the APK file.

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

We analyze the definition of CWE-78 and identify its characteristics.

See CWE-78 for more details.

image

Code of CWE-78 in Vuldroid.apk

We use the Vuldroid.apk sample to explain the vulnerability code of CWE-78.

image

Quark Script: CWE-78.py

Let's use the above APIs to show how the Quark script finds this vulnerability.

First, we design a detection rule ExternalStringsCommands.json to spot on behavior using external strings as commands.

Next, we use Quark API behaviorInstance.getMethodsInArgs() to get the methods that passed the external command.

Then we check if the method neutralizes any special elements found in the argument.

If the neutralization is not complete, then it may cause CWE-78 vulnerability.

from quark.script import runQuarkAnalysis, Rule, findMethodInAPK

SAMPLE_PATH = "Vuldroid.apk"
RULE_PATH = "ExternalStringCommand.json"


STRING_MATCHING_API = set([
    ("Ljava/lang/String;", "contains", "(Ljava/lang/CharSequence)Z"),
    ("Ljava/lang/String;", "indexOf", "(I)I"),
    ("Ljava/lang/String;", "indexOf", "(Ljava/lang/String;)I"),
    ("Ljava/lang/String;", "matches", "(Ljava/lang/String;)Z"),
    ("Ljava/lang/String;", "replaceAll", "(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;")
])

specialElementsPattern = r"[ ;|,>`]+"

ruleInstance = Rule(RULE_PATH)
quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)

for ExternalStringCommand in quarkResult.behaviorOccurList:

    methodCalled = set()
    caller = ExternalStringCommand.methodCaller

    for method in ExternalStringCommand.getMethodsInArgs():
        methodCalled.add(method.fullName)

    if methodCalled.intersection(STRING_MATCHING_API) and not ExternalStringCommand.hasString(specialElementsPattern):
        continue
    else:
        print(f"CWE-78 is detected in method, {caller.fullName}")

Quark Rule: ExternalStringCommand.json

{
    "crime": "Using external strings as commands",
    "permission": [],
    "api": [
        {
            "class": "Landroid/content/Intent;",
            "method": "getStringExtra",
            "descriptor": "(Ljava/lang/String;)Ljava/lang/String"
        },
        {
            "class": "Ljava/lang/Runtime;",
            "method": "exec",
            "descriptor": "(Ljava/lang/String;)Ljava/lang/Process"
        }
    ],
    "score": 1,
    "label": []
}

Quark Script Result

  • Vuldroid.apk
$ python3 CWE-78.py
CWE-78 is detected in method, Lcom/vuldroid/application/RootDetection; onCreate (Landroid/os/Bundle;)V