You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This scenario seeks to find **External Control of File Name or Path**. See
2096
-
`CWE-73 <https://cwe.mitre.org/data/definitions/73.html>`__ for more
2097
-
details.
2095
+
This scenario seeks to find **External Control of File Name or Path** in the APK file.
2096
+
2097
+
CWE-73 External Control of File Name or Path
2098
+
=============================================
2099
+
2100
+
We analyze the definition of CWE-73 and identify its characteristics.
2101
+
2102
+
See `CWE-73 <https://cwe.mitre.org/data/definitions/73.html>`_ for more details.
2103
+
2104
+
.. image:: https://imgur.com/ES7xg5X.png
2105
+
2106
+
Code of CWE-73 in ovaa.apk
2107
+
===========================
2108
+
2109
+
We use the `ovaa.apk <https://github.com/oversecured/ovaa>`_ sample to explain the vulnerability code of CWE-73.
2110
+
2111
+
.. image:: https://imgur.com/9oa1HIC.png
2112
+
2113
+
Quark Scipt: CWE-73.py
2114
+
=======================
2115
+
2116
+
Let’s use the above APIs to show how Quark script find this vulnerability.
2098
2117
2099
2118
First, we design a detection rule ``accessFileInExternalDir.json`` to spot behavior accessing a file in an external directory.
2100
2119
2101
2120
Second, we use API ``methodInstance.getArguments()`` to get the argument for the file path and use ``quarkResultInstance.isHardcoded(argument)`` to check if the argument is hardcoded into the APK. If **No**, the argument is from external input.
2102
2121
2103
2122
Finally, we use Quark API ``quarkResultInstance.findMethodInCaller(callerMethod, targetMethod)`` to check if any APIs in the caller method for opening files. If **YES**, the APK performs file operations using external input as a path, which may cause CWE-73 vulnerability.
0 commit comments