search

Exodus-Privacy / exodus-core

Core functionality of εxodus
GNU Affero General Public License v3.0
18 stars 17 forks source link

Command injection with malicious apk #7

Closed jvoisin closed 5 years ago

jvoisin commented 6 years ago

Hello,

there is a command injection in the get_embedded_classes method. A malicious APK with a file named classes.;id;.dex will result in the execution of the id binary in the context of the exodus-code process.

I would recommend using glob instead, and to defer all the post-processing of the dexdump command to Python, instead of using Perl, uniq and sort.

I might submit a patch to fix this later this week-end ♥

peterstory commented 5 years ago

@jvoisin Could you post a simple demonstration of this command injection attack? For example, something like the following (though my example doesn't work, because I don't understand how to replicate this attack):

echo "classes.;id;.dex" | perl -n -e'/[A-Z]+((?:\w+\/)+\w+)/ && print "$1\n"'
jvoisin commented 5 years ago

The * in '%s %s/classes*.dex | perl -n -e\'/[A-Z]+((?:\w+\/)+\w+)/ && print "$1\n"\'|sort|uniq' will be expanded by the shell.

peterstory commented 5 years ago

I tried to replicate this, and I wasn't able to. I think the shell treats classes.;id;.dex as a single string, which means that your attack doesn't work. Now, it might be possible to craft a different attack if the attacker had control over the start of the path, as in this example, and if dexdump had dangerous arguments: http://seclists.org/fulldisclosure/2014/Jun/121 But that isn't the case here, so I don't think there's actually a vulnerability. 

# mkdir exploit_dir
# cp classes.dex exploit_dir/classes.\;id\;.dex
classes.;id;.dex
# ls exploit_dir/
classes.;id;.dex
# dexdump exploit_dir/classes*.dex | perl -n -e'/[A-Z]+((?:\w+\/)+\w+)/ && print "$1\n"' | sort | uniq | head
a/a/a/a/a
a/a/a/a/a/a
a/a/a/a/a/b
a/a/a/a/a/c
a/a/a/a/a/d
a/a/a/a/a/e
a/a/a/a/a/f
a/a/a/a/a/g
a/a/a/a/a/h
a/a/a/a/a/i
# dexdump exploit_dir/classes*.dex | perl -n -e'/[A-Z]+((?:\w+\/)+\w+)/ && print "$1\n"' | sort | uniq | tail
pl/droidsonroids/gif/d
pl/droidsonroids/gif/e
pl/droidsonroids/gif/f
pl/droidsonroids/gif/g
pl/droidsonroids/gif/GifImageView
pl/droidsonroids/gif/GifInfoHandle
pl/droidsonroids/gif/GifIOException
pl/droidsonroids/gif/GifViewSavedState
pl/droidsonroids/gif/h
pl/droidsonroids/gif/i
# echo $SHELL
/bin/bash
jvoisin commented 5 years ago

You're right, I stand corrected, thank you for spending your time checking this ♥

Sorry for the noise.

peterstory commented 5 years ago

No problem! It was a good opportunity to refresh my memory on shell-related exploits!