R2 lib

.github/workflows/pytest.yml

@@ -26,7 +26,7 @@ jobs:
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
-        python -m pip install pytest rzpipe meson==0.62.0 ninja coverage ciphey frida objection
+        python -m pip install pytest rzpipe meson==0.62.0 ninja coverage ciphey frida objection r2pipe==1.8.0
 
         # Install graphviz & ninja
         sudo apt-get -y install graphviz ninja-build
@@ -39,6 +39,14 @@ jobs:
         sudo ninja -C build install
         sudo ldconfig -v
         cd -
+
+        # Install Radare2 (5.8.8)
+        sudo apt install -y musl-tools
+        sudo git clone https://github.com/radareorg/radare2 /opt/radare2/
+        cd /opt/radare2/
+        sudo git checkout 5.8.8
+        sudo sys/install.sh
+        cd -
 
         # Install click >= 8.0.0 for CLI supports
         python -m pip install click==8.0.3

Pipfile

@@ -25,6 +25,7 @@ rzpipe = "<=0.1.2"
 objection = "<=1.11.0"
 frida = "<=15.2.2"
 ciphey = ">=5.0.0,<=5.14.0"
+r2pipe = "==1.8.0"
 
 [requires]
 python_version = "3.8"

README.md

@@ -61,6 +61,7 @@
 *   [CWE-088](https://quark-engine.readthedocs.io/en/latest/quark_script.html#detect-cwe-88-in-android-application-vuldroid-apk)  Improper Neutralization of Argument Delimiters in a Command
 *   [CWE-089](https://quark-engine.readthedocs.io/en/latest/quark_script.html#detect-cwe-89-in-android-application-androgoat-apk)  Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 
 *   [CWE-094](https://quark-engine.readthedocs.io/en/latest/quark_script.html#detect-cwe-94-in-android-application-ovaa-apk)  Improper Control of Generation of Code ('Code Injection') 
+*   [CWE-117](https://quark-engine.readthedocs.io/en/latest/quark_script.html#detect-cwe-117-in-android-application-allsafe-apk)  Improper Output Neutralization for Logs 
 *   [CWE-295](https://quark-engine.readthedocs.io/en/latest/quark_script.html#detect-cwe-295-in-android-application-insecureshop-apk)  Improper Certificate Validation 
 *   [CWE-312](https://quark-engine.readthedocs.io/en/latest/quark_script.html#detect-cwe-312-in-android-application-ovaa-apk)  Cleartext Storage of Sensitive Information 
 *   [CWE-319](https://quark-engine.readthedocs.io/en/latest/quark_script.html#detect-cwe-319-in-android-application-ovaa-apk)  Cleartext Transmission of Sensitive Information 
@@ -74,7 +75,8 @@
 *   [CWE-798](https://quark-engine.readthedocs.io/en/latest/quark_script.html#detect-cwe-798-in-android-application-ovaa-apk)  Use of Hard-coded Credentials 
 *   [CWE-921](https://quark-engine.readthedocs.io/en/latest/quark_script.html#detect-cwe-921-in-android-application-ovaa-apk)  Storage of Sensitive Data in a Mechanism without Access Control 
 *   [CWE-925](https://quark-engine.readthedocs.io/en/latest/quark_script.html#detect-cwe-925-in-android-application-insecurebankv2-androgoat)  Improper Verification of Intent by Broadcast Receiver
-*   [CWE-926](https://quark-engine.readthedocs.io/en/latest/quark_script.html#detect-cwe-926-in-android-application-dvba-apk)  Improper Export of Android Application Components 
+*   [CWE-926](https://quark-engine.readthedocs.io/en/latest/quark_script.html#detect-cwe-926-in-android-application-dvba-apk)  Improper Export of Android Application Components
+*   [CWE-940](https://quark-engine.readthedocs.io/en/latest/quark_script.html#detect-cwe-940-in-android-application-ovaa-vuldroid)  Improper Verification of Source of a Communication Channel 
 
 # Quick Start
 

docs/source/index.rst

@@ -20,6 +20,7 @@ This guide will explain how to set up Quark, use it, and customize it.
 
    install_index
    quark_script
+   visual_quark_script_program
    quark_mit_program
    quark_reports
    addRules

docs/source/quark_script.rst

@@ -2081,3 +2081,158 @@ Quark Script Result
     $ python3 CWE-78.py
     CWE-78 is detected in method, Lcom/vuldroid/application/RootDetection; onCreate (Landroid/os/Bundle;)V
 
+
+
+Detect CWE-117 in Android Application (allsafe.apk)
+------------------------------------------------------
+This scenario seeks to find **Improper Output Neutralization for Logs**. See `CWE-117 <https://cwe.mitre.org/data/definitions/117.html>`_ for more details.
+
+Let’s use this `APK <https://github.com/t0thkr1s/allsafe>`_ and the above APIs to show how the Quark script finds this vulnerability.
+
+First, we design a detection rule ``writeContentToLog.json`` to spot on behavior using the method that writes contents to the log file.
+
+Then, we use ``behaviorInstance.getParamValues()`` to get all parameter values of this method. And we check if these parameters contain keywords of APIs for neutralization, such as escape, replace, format, and setFilter.
+
+If the answer is **YES**, that may result in secret context leakage into the log file, or the attacker may perform log forging attacks.
+
+Quark Script CWE-117.py
+==========================
+
+.. code-block:: python
+
+    from quark.script import Rule, runQuarkAnalysis
+
+    SAMPLE_PATH = "allsafe.apk"
+    RULE_PATH = "writeContentToLog.json"
+    KEYWORDS_FOR_NEUTRALIZATION = ["escape", "replace", "format", "setFilter"]
+
+    ruleInstance = Rule(RULE_PATH)
+    quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)
+
+    for logOutputBehavior in quarkResult.behaviorOccurList:
+
+        secondAPIParam = logOutputBehavior.getParamValues()[1]
+
+        isKeywordFound = False
+        for keyword in KEYWORDS_FOR_NEUTRALIZATION:
+            if keyword in secondAPIParam:
+                isKeywordFound = True
+                break
+
+        if not isKeywordFound:
+            print(f"CWE-117 is detected in method,{secondAPIParam}")
+
+Quark Rule: writeContentToLog.json
+==============================================
+
+.. code-block:: json
+
+    {
+        "crime": "Write contents to the log.",
+        "permission": [],
+        "api": [
+            {
+                "descriptor": "()Landroid/text/Editable;",
+                "class": "Lcom/google/android/material/textfield/TextInputEditText;",
+                "method": "getText"
+            },
+            {
+                "descriptor": "(Ljava/lang/String;Ljava/lang/String;)I",
+                "class": "Landroid/util/Log;",
+                "method": "d"
+            }
+        ],
+        "score": 1,
+        "label": []
+    }
+
+Quark Script Result
+======================
+- **allsafe.apk**
+
+.. code-block:: TEXT
+
+    $ python CWE-117.py
+    CWE-117 is detected in method,Ljava/lang/StringBuilder;->toString()Ljava/lang/String;(Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;(Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;(Ljava/lang/StringBuilder;-><init>()V(Ljava/lang/StringBuilder;),User entered secret: ),Ljava/lang/Object;->toString()Ljava/lang/String;(Lcom/google/android/material/textfield/TextInputEditText;->getText()Landroid/text/Editable;())))
+
+Detect CWE-940 in Android Application (ovaa,Vuldroid)
+------------------------------------------------------
+This scenario aims to demonstrate the detection of the **Improper Verification of Source of a Communication Channel** vulnerability using `ovaa.apk <https://github.com/oversecured/ovaa>`_ and `Vuldroid.apk <https://github.com/jaiswalakshansh/Vuldroid>`_. See `CWE-940 <https://cwe.mitre.org/data/definitions/940.html>`_  for more details.
+
+To begin with, we create a detection rule named ``LoadUrlFromIntent.json`` to identify behavior that loads url from intent data to the WebView.
+
+Next, we retrieve the methods that pass the url. Following this, we check if these methods are only for setting intent, such as findViewById, getStringExtra, or getIntent.
+
+If **NO**, it could imply that the APK uses communication channels without proper verification, which may cause CWE-940 vulnerability.
+
+Quark Script CWE-940.py
+==========================
+
+The Quark Script below uses ovaa.apk to demonstrate. You can change the ``SAMPLE_PATH`` to the sample you want to detect. For example,  ``SAMPLE_PATH = "Vuldroid.apk"``.
+
+
+.. code-block:: python
+
+    from quark.script import runQuarkAnalysis, Rule
+
+    SAMPLE_PATH = "ovaa.apk"
+    RULE_PATH = "LoadUrlFromIntent.json"
+
+    INTENT_SETTING_METHODS = [
+        "findViewById",
+        "getStringExtra",
+        "getIntent",
+    ]
+
+    ruleInstance = Rule(RULE_PATH)
+
+    quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)
+
+    for behaviorInstance in quarkResult.behaviorOccurList:
+        methodsInArgs = behaviorInstance.getMethodsInArgs()
+
+        verifiedMethodCandidates = []
+
+        for method in methodsInArgs:
+            if method.methodName not in INTENT_SETTING_METHODS:
+                verifiedMethodCandidates.append(method)
+
+        if verifiedMethodCandidates == []:
+            caller = behaviorInstance.methodCaller.fullName
+            print(f"cwe-940 is detected in method, {caller}")
+
+
+
+Quark Rule: LoadUrlFromIntent.json
+==============================================
+
+.. code-block:: json
+
+    {
+        "crime": "Load Url from Intent and open WebView",
+        "permission": [],
+        "api": [
+            {
+                "class": "Landroid/content/Intent;",
+                "method": "getStringExtra",
+                "descriptor": "(Ljava/lang/String;)Ljava/lang/String"
+            },
+            {
+                "class": "Landroid/webkit/WebView;",
+                "method": "loadUrl",
+                "descriptor": "(Ljava/lang/String;)V"
+            }
+        ],
+        "score": 1,
+        "label": []
+    }
+
+Quark Script Result
+======================
+- **ovaa.apk**
+
+.. code-block:: TEXT
+
+    $ python CWE-940.py
+    CWE-940 is detected in method, Loversecured/ovaa/activities/WebViewActivity; onCreate (Landroid/os/Bundle;)V
+

docs/source/visual_quark_script_program.rst

@@ -0,0 +1,22 @@
+++++++++++++++++++++++++++++
+Visual Quark Script Program
+++++++++++++++++++++++++++++
+
+Introduction of the Program
+----------------------------
+
+Quark Script is a powerful tool for detecting and analyzing mobile security. However, it can be complex and challenging for user who are not familiar with programming. To overcome this challenge, we are pleased to announce our plan to develop a visual programming tool that simplifies the Quark Script organization process, making it easy for anyone to organize Quark Script using a simple UI interface.
+
+Goal of the Program
+--------------------
+
+We aim to make Quark Script programming accessible to everyone and remove the barriers that often come with traditional programming languages. So we design a new visual tool for Quark Script organization. It would be more intuitive, time-saving, and effort-saving for users, even if they are not familiar with programming.
+
+Web Design Layout
+------------------
+
+The initial draft of the web design is as below.
+
+Design by: `@Commuter95 <https://github.com/Commuter95>`_
+
+.. image:: https://github.com/quark-engine/quark-engine/assets/16009212/053d62e2-181a-4fb1-96d7-95fe59809dc3

quark/__init__.py

@@ -1 +1 @@
-__version__ = "23.7.1"
+__version__ = "23.8.1"

quark/cli.py

@@ -133,7 +133,7 @@
     "--core-library",
     "core_library",
     help="Specify the core library used to analyze an APK",
-    type=click.Choice(("androguard", "rizin"), case_sensitive=False),
+    type=click.Choice(("androguard", "rizin", "radare2"), case_sensitive=False),
     required=False,
     default="androguard",
 )