Skip to content

Commit

Permalink
Optimize the document of Quark Script CWE-312 and CWE-798 (#48)
Browse files Browse the repository at this point in the history
  • Loading branch information
JerryTasi authored Jan 22, 2025
1 parent 2bb149e commit 5882cef
Show file tree
Hide file tree
Showing 4 changed files with 44 additions and 46 deletions.
5 changes: 2 additions & 3 deletions .github/workflows/testQuarkScript.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ on:
jobs:
build:

runs-on: ubuntu-latest
runs-on: ubuntu-22.04


steps:
Expand Down Expand Up @@ -57,7 +57,7 @@ jobs:
git clone "https://github.com/quark-engine/apk-samples.git"
mv -vn $GITHUB_WORKSPACE/CWE-*/CWE-*.py test_ground/
mv -vn $GITHUB_WORKSPACE/CWE-*/*.json test_ground/
mv -vn $GITHUB_WORKSPACE/CWE-*/*.js test_ground/
# mv -vn $GITHUB_WORKSPACE/CWE-*/*.js test_ground/
mv -vn ./apk-samples/vulnerable-samples/*.apk test_ground/

Expand All @@ -74,4 +74,3 @@ jobs:
echo $line
fi
done
41 changes: 20 additions & 21 deletions CWE-312/README.md
Original file line number Diff line number Diff line change
@@ -1,37 +1,36 @@
# Detect CWE-312 in Android Application

This scenario seeks to find **cleartext storage of sensitive data** in the APK file.

This scenario seeks to find **cleartext storage of sensitive data** in
the APK file.

## CWE-312 Cleartext Storage of Sensitive Information
## CWE-312: Cleartext Storage of Sensitive Information

We analyze the definition of CWE-312 and identify its characteristics.

See [CWE-312](https://cwe.mitre.org/data/definitions/312.html) for more
details.
See [CWE-312](https://cwe.mitre.org/data/definitions/312.html) for more details.

![image](https://i.imgur.com/cy2EiZx.jpg)
![image](https://imgur.com/mD2uXUy.jpg)

## Code of CWE-312 in ovaa.apk

We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to
explain the vulnerability code of CWE-312.
We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to explain the vulnerability code of CWE-312.

![image](https://imgur.com/MfnYIYy.jpg)

## CWE-312 Detection Process Using Quark Script API

Let’s use the above APIs to show how the Quark script finds this vulnerability.

![image](https://i.imgur.com/KsFsxTu.jpg)
We have designed a [Frida](https://frida.re/) script ``agent.js`` to hook a specified method and get the arguments when the method is called. It can be found in [quark-engine/quark/script/frida](https://github.com/quark-engine/quark-engine/tree/master/quark/script/frida).

To begin with, we hook the method ``putString`` to catch its arguments. Then, we check if sensitive information like email or password is passed. Finally, we use ``checkClearText`` imported from [Ares](https://github.com/bee-san/Ares) to check if the arguments are cleartext. If both **YES**, CWE-312 vulnerability might be caused.

## Quark Script CWE-312.py
![image](https://imgur.com/eNjm3ES.jpg)

Let\'s use the above APIs to show how the Quark script finds this
vulnerability.
## Quark Script: CWE-312.py

First, we designed a [Frida](https://frida.re) script `agent.js` to hook
the target method and get the arguments when the target method is
called. Then we hook the method `putString` to catch its arguments.
Finally, we use [Ares](https://github.com/bee-san/Ares) to check if
the arguments are encrypted.
![image](https://imgur.com/rxMPZX8.jpg)

``` python
```python
from quark.script.frida import runFridaHook
from quark.script.ares import checkClearText

Expand Down Expand Up @@ -62,7 +61,7 @@ for putString in fridaResult.behaviorOccurList:

## Frida Script: agent.js

``` javascript
```javascript
// -*- coding: utf-8 -*-
// This file is part of Quark-Engine - https://github.com/quark-engine/quark-engine
// See the file 'LICENSE' for copying permission.
Expand Down Expand Up @@ -125,7 +124,7 @@ rpc.exports["watchMethodCall"] = (classAndMethodName, methodParamTypes) => watch

## Quark Script Result

``` TEXT
```TEXT
$ python3 CWE-312.py
The CWE-312 vulnerability is found. The cleartext is "test@email.com"
The CWE-312 vulnerability is found. The cleartext is "password"
Expand Down
Empty file removed CWE-312/agent.js
Empty file.
44 changes: 22 additions & 22 deletions CWE-798/README.md
Original file line number Diff line number Diff line change
@@ -1,36 +1,35 @@
# Detect CWE-798 in Android Application

This scenario seeks to find hard-coded credentials in the APK file.
This scenario seeks to find **hard-coded credentials** in the APK file.

## CWE-798 Use of Hard-coded Credentials
## CWE-798: Use of Hard-coded Credentials

We analyze the definition of CWE-798 and identify its characteristics.

See [CWE-798](https://cwe.mitre.org/data/definitions/798.html) for more
details.
See [CWE-798](https://cwe.mitre.org/data/definitions/798.html) for more details.

![image](https://i.imgur.com/0G9APpf.jpg)
![image](https://imgur.com/rF8J8hE.png)

## Code of CWE-798 in ovaa.apk

We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to
explain the vulnerability code of CWE-798.
We use the [ovaa.apk](https://github.com/oversecured/ovaa) sample to explain the vulnerability code of CWE-798.

![image](https://i.imgur.com/ikaJlDW.jpg)
![image](https://imgur.com/Cg7DacP.png)

## Quark Script: CWE-798.py

Let\'s use the above APIs to show how the Quark script finds this
vulnerability.
## CWE-798 Detection Process Using Quark Script API

![image](https://imgur.com/R8CfDqD.png)

Let’s use the above APIs to show how the Quark script finds this vulnerability.

First, we design a detection rule ``findSecretKeySpec.json`` to spot on behavior using the constructor ``SecretKeySpec``. Second, we get all the parameter values from this constructor. Then, we parse the AES key from the parameter values. Finally, we check if the AES key is hardcoded in the APK file. If the answer is **YES**, BINGO!!! We find hard-coded credentials in the APK file.

First, we design a detection rule `findSecretKeySpec.json` to spot on
behavior using the method `SecretKeySpec`. Then, we get all the
parameter values that are input to this method. And we parse the AES key
out of the parameter values. Finally, we check if the AES key is
hardcoded in the APK file. If the answer is YES, BINGO!!! We find
hard-coded credentials in the APK file.
## Quark Script: CWE-798.py

![image](https://imgur.com/IOyrqDc.png)

``` python
```python
import re
from quark.script import runQuarkAnalysis, Rule

Expand All @@ -54,7 +53,9 @@ for secretKeySpec in quarkResult.behaviorOccurList:

## Quark Rule: findSecretKeySpec.json

``` json
![image](https://imgur.com/2BYOE70.png)

```json
{
"crime": "Detect APK using SecretKeySpec.",
"permission": [],
Expand All @@ -77,8 +78,7 @@ for secretKeySpec in quarkResult.behaviorOccurList:

## Quark Script Result

``` TEXT
$ python3 findSecretKeySpec.py
```TEXT
$ python3 CWE-798.py
Found hard-coded AES key 49u5gh249gh24985ghf429gh4ch8f23f
```

0 comments on commit 5882cef

Please sign in to comment.