Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Optimize the document of Quark Script CWE-22 #50

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Optimize the document of Quark Script CWE-22 #50

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 25 additions & 30 deletions CWE-22/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,44 +1,38 @@
# Detect CWE-22 in Android Application

This scenario seeks to find **the improper limitation of a pathname to a
restricted directory ('Path Traversal')**.
This scenario seeks to find **the improper limitation of a pathname to a restricted directory (‘Path Traversal’)**.

## CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\'Path Traversal\')
## CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

We analyze the definition of CWE-22 and identify its characteristics.

See [CWE-22](https://cwe.mitre.org/data/definitions/22.html) for more
details.
See [CWE-22](https://cwe.mitre.org/data/definitions/22.html) for more details.

![image](https://imgur.com/agRPwp8.png)
![image](https://imgur.com/XnOUZsV.png)

## Code of CWE-22 in ovaa.apk

We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to
explain the vulnerability code of CWE-22.
We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to explain the vulnerability code of CWE-22.

![image](https://imgur.com/WFpfzFk.png)
![image](https://imgur.com/bgWgeT7.png)

## Quark Script: CWE-22.py
## CWE-22 Detection Process Using Quark Script API

Let's use the above APIs to show how the Quark script finds this
vulnerability.
![image](https://imgur.com/N69bQK2.png)

First, we design a detection rule `accessFileInExternalDir.json` to spot
behavior accessing a file in an external directory.
Let’s use the above APIs to show how the Quark script finds this vulnerability.

Next, we use API `methodInstance.getArguments()` to get the argument for
the file path and use `quarkResultInstance.isHardcoded(argument)` to
check if the argument is hardcoded into the APK. If No, the argument is
from external input.
First, we design a detection rule `accessFileInExternalDir.json` to spot behavior accessing a file in an external directory.

Finally, we use Quark API
`quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)` to
check if there are any APIs in the caller method for string matching. If
NO, the APK does not neutralize special elements within the argument,
which may cause CWE-22 vulnerability.
Next, we use API `methodInstance.getArguments()` to get the argument for the file path and use `quarkResultInstance.isHardcoded(argument)` to check if the argument is hardcoded into the APK. If **No**, the argument is from external input.

``` python
Finally, we use Quark API `quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)` to check if there are any APIs in the caller method for string matching. If **NO**, the APK does not neutralize special elements within the argument, which may cause CWE-22 vulnerability.

## Quark Scipt: CWE-22.py

![image](https://imgur.com/4b2e4tN.png)

```python
from quark.script import runQuarkAnalysis, Rule

SAMPLE_PATH = "ovaa.apk"
Expand All @@ -57,25 +51,26 @@ ruleInstance = Rule(RULE_PATH)
quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)

for accessExternalDir in quarkResult.behaviorOccurList:

filePath = accessExternalDir.secondAPI.getArguments()[2]

if quarkResult.isHardcoded(filePath):
continue

caller = accessExternalDir.methodCaller
strMatchingAPIs = [
api
for api in STRING_MATCHING_API
if quarkResult.findMethodInCaller(caller, api)
api for api in STRING_MATCHING_API if quarkResult.findMethodInCaller(
caller, api)
]

if not strMatchingAPIs:
print(f"CWE-22 is detected in method, {caller.fullName}")
```

## Quark Rule: accessFileInExternalDir.json

``` json
![image](https://imgur.com/N2uKsZj.png)

```json
{
"crime": "Access a file in an external directory",
"permission": [],
Expand All @@ -98,7 +93,7 @@ for accessExternalDir in quarkResult.behaviorOccurList:

## Quark Script Result

``` TEXT
```
$ python3 CWE-22.py
CWE-22 is detected in method, Loversecured/ovaa/providers/TheftOverwriteProvider; openFile (Landroid/net/Uri; Ljava/lang/String;)Landroid/os/ParcelFileDescriptor;
```