Optimize the document of Quark Script CWE-319, 327, and 328

[JerryTasi]

Detect CWE-319 in Android Application

This scenario seeks to find Cleartext Transmission of Sensitive Information in the APK file.

CWE-319 Cleartext Transmission of Sensitive Information

We analyze the definition of CWE-319 and identify its characteristics.

See CWE-319 for more details.

Code of CWE-319 in ovaa.apk

We use the ovaa.apk sample to explain the vulnerability code of CWE-319.

CWE-319 Detection Process Using Quark Script API

Let’s use the above APIs to show how the Quark script finds this vulnerability. This sample uses the package Retrofit to request Web APIs, but the APIs use cleartext protocols.

We first design a detection rule setRetrofitBaseUrl.json to spot on behavior that sets the base URL of the Retrofit instance. Then, we loop through a custom list of cleartext protocol schemes and use API behaviorInstance.hasString(pattern, isRegex) to filter if there are arguments that are URL strings with cleartext protocol.

If the answer is YES, CWE-319 vulnerability is caused.

Quark Script: CWE-319.py

from quark.script import runQuarkAnalysis, Rule

SAMPLE_PATH = "./ovaa.apk"
RULE_PATH = "setRetrofitBaseUrl.json"

PROTOCOL_KEYWORDS = [
    "http",
    "smtp",
    "ftp"
]


ruleInstance = Rule(RULE_PATH)
quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)

for setRetrofitBaseUrl in quarkResult.behaviorOccurList:
    for protocol in PROTOCOL_KEYWORDS:

        regexRule = f"{protocol}://[0-9A-Za-z./-]+"
        cleartextProtocolUrl = setRetrofitBaseUrl.hasString(regexRule, True)

        if cleartextProtocolUrl:
            print(f"CWE-319 detected!")
            print(f"Here are the found URLs with cleartext protocol:")
            print("\n".join(cleartextProtocolUrl))

Quark Rule: setRetrofitBaseUrl.json

{
    "crime": "Set Retrofit Base Url",
    "permission": [],
    "api":
    [
        {
            "descriptor": "()V",
            "class": "Lretrofit2/Retrofit$Builder;",
            "method": "<init>"
        },
        {
            "descriptor": "(Ljava/lang/String;)Lretrofit2/Retrofit$Builder;",
            "class": "Lretrofit2/Retrofit$Builder;",
            "method": "baseUrl"
        }
    ],
    "score": 1,
    "label": []
}

Quark Script Result

$ python3 CWE-319.py
CWE-319 detected!
Here are the found URLs with cleartext protocol:
http://example.com./api/v1/

Detect CWE-327 in Android Application

This scenario seeks to find Use of a Broken or Risky Cryptographic Algorithm in the APK file.

CWE-327 Use of a Broken or Risky Cryptographic Algorithm

We analyze the definition of CWE-327 and identify its characteristics.

See CWE-327 for more details.

Code of CWE-327 in InjuredAndroid.apk

We use the InjuredAndroid.apk sample to explain the vulnerability code of CWE-327.

CWE-327 Detection Process Using Quark Script API

Let’s use the above APIs to show how the Quark script finds this vulnerability.

We first design a detection rule useOfCryptographicAlgo.json to spot on behavior using cryptographic algorithms. Then, we use API behaviorInstance.hasString(pattern, isRegex) with a list to check if the algorithm is risky. If YES, that may cause the exposure of sensitive data.

Quark Script CWE-327.py

from quark.script import runQuarkAnalysis, Rule

SAMPLE_PATH = "InjuredAndroid.apk"
RULE_PATH = "useOfCryptographicAlgo.json"

WEAK_ALGORITHMS = ["DES", "ARC4", "BLOWFISH"]

ruleInstance = Rule(RULE_PATH)
quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)

for useCryptoAlgo in quarkResult.behaviorOccurList:

    caller = useCryptoAlgo.methodCaller

    for algo in WEAK_ALGORITHMS:
        if useCryptoAlgo.hasString(algo):
            print(f"CWE-327 is detected in method, {caller.fullName}")

Quark Rule: useOfCryptographicAlgo.json

{
    "crime": "Use of cryptographic algorithm",
    "permission": [],
    "api": [
        {
            "class": "Ljavax/crypto/Cipher;",
            "method": "getInstance",
            "descriptor": "(Ljava/lang/String;)Ljavax/crypto/Cipher"
        },
        {
            "class": "Ljavax/crypto/Cipher;",
            "method": "init",
            "descriptor": "(I Ljava/security/Key;)V"
        }
    ],
    "score": 1,
    "label": []
}

Quark Script Result

$ python3 CWE-327.py
CWE-327 is detected in method, Lb3nac/injuredandroid/k; b (Ljava/lang/String;)Ljava/lang/String;
CWE-327 is detected in method, Lb3nac/injuredandroid/k; a (Ljava/lang/String;)Ljava/lang/String;

Detect CWE-328 in Android Application

This scenario seeks to find the Use of Weak Hash.

CWE-328 Use of Weak Hash

We analyze the definition of CWE-328 and identify its characteristics.

See CWE-328 for more details.

Code of CWE-328 in allsafe.apk

We use the allsafe.apk sample to explain the vulnerability code of CWE-328.

CWE-328 Detection Process Using Quark Script API

Let's use the above APIs to show how the Quark script finds this vulnerability.

First, we use API findMethodInAPK(samplePath, targetMethod) to find the method MessageDigest.getInstance() or SecretKeyFactory.getInstance(). Next, we use API methodInstance.getArguments() with a list to check if the method uses weak hashing algorithms. If YES, that causes CWE-328 vulnerability.

Quark Script: CWE-328.py

from quark.script import findMethodInAPK

SAMPLE_PATH = "./allsafe.apk"

TARGET_METHODS = [
    [
        "Ljava/security/MessageDigest;",
        "getInstance",
        "(Ljava/lang/String;)Ljava/security/MessageDigest;",
    ],
    [
        "Ljavax/crypto/SecretKeyFactory;",
        "getInstance",
        "(Ljava/lang/String;)Ljavax/crypto/SecretKeyFactory;",
    ],
]

HASH_KEYWORDS = [
    "MD2",
    "MD4",
    "MD5",
    "PANAMA",
    "SHA0",
    "SHA1",
    "HAVAL128",
    "RIPEMD128",
]

methodsFound = []
for target in TARGET_METHODS:
    methodsFound += findMethodInAPK(SAMPLE_PATH, target)

for setHashAlgo in methodsFound:
    algoName = setHashAlgo.getArguments()[0].replace("-", "")

    if any(keyword in algoName for keyword in HASH_KEYWORDS):
        print(
            f"CWE-328 is detected in {SAMPLE_PATH},\n\t"
            f"and it occurs in method, {setHashAlgo.fullName}"
        )

Quark Script Result

$ python3 CWE-328.py
CWE-328 is detected in ./allsafe.apk,
        and it occurs in method, Linfosecadventures/allsafe/challenges/SQLInjection; md5 (Ljava/lang/String;)Ljava/lang/String;
CWE-328 is detected in ./allsafe.apk,
        and it occurs in method, Linfosecadventures/allsafe/challenges/WeakCryptography; md5Hash (Ljava/lang/String;)Ljava/lang/String;
CWE-328 is detected in ./allsafe.apk,
        and it occurs in method, Lcom/google/firebase/database/core/utilities/Utilities; sha1HexDigest (Ljava/lang/String;)Ljava/lang/String;

[zinwang]

LGTM!

[zinwang]

Refer to #64