Android應用邏輯漏洞半自動化挖掘思路
- 2019 年 11 月 6 日
- 筆記
大清早起來就看到F-Secure LABS團隊(以前叫MWR,就是那支用13個邏輯漏洞攻破Chrome瀏覽器的團隊,是Pwn2Own專業戶)發了一篇文章「Automating Pwn2Own with Jandroid」 (https://labs.f-secure.com/blog/automating-pwn2own-with-jandroid/ ),講述如何利用Jandroid實現Android應用邏輯漏洞的半自動化挖掘思路。
專註邏輯漏洞有一些好處,尤其是作比賽用途的,撞洞率較低,且利用穩定,一般都不用搞什麼記憶體布局控制的。
MWR尤其擅長此類漏洞的挖掘,之前就在Mobile Pwn2Own上攻擊破過華為手機、三星手機和Chrome瀏覽器。
文中介紹了Jandroid (https://github.com/FSecureLABS/Jandroid )這款開源工具,該工具要求python 3.4以上版本才能運行,支援apk、dex、system.img、ext4文件解析。
python3 src/jandroid.py -h ---------------------------- JANDROID ---------------------------- usage: jandroid.py [-h] [-f FOLDER] [-p [{android}]] [-e [{device,ext4,img}]] [-g [{neo4j,visjs,both}]] A tool for performing pattern matching against applications. optional arguments: -h, --help show this help message and exit -f FOLDER, --folder FOLDER app分析目錄,所以支援應用的批量分析 -p [{android}], --platform [{android}] 支援的平台,目前僅支援android平台 -e [{device,ext4,img}], --extract [{device,ext4,img}] 支援從連接設備、ext4、system.img中提取應用 -g [{neo4j,visjs,both}], --graph [{neo4j,visjs,both}] 支援檢測結果的圖表顯示
它通過定義json模板來標記污點傳播路徑,比如擁有android.intent.category.BROWSABLE瀏覽器打開許可權的Activity,再查找Landroid/webkit/WebView;->addJavascriptInterface看是否存在JavaScript介面,以判斷是否可能存在遠程攻擊的條件,但這種只能是半自動化輔助,還需要人工進一步確認。
模板示例:
{ "METADATA": { "NAME": "JSbridgeBrowsable" }, "MANIFESTPARAMS": { "BASEPATH": "manifest->application->activity OR manifest->application->activity-alias", "SEARCHPATH": { "intent-filter": { "action": { "LOOKFOR": { "TAGVALUEMATCH": "<NAMESPACE>:name=android.intent.action.VIEW" } }, "category": { "LOOKFOR": { "TAGVALUEMATCH": "<NAMESPACE>:name=android.intent.category.BROWSABLE" } }, "data": { "RETURN": ["<NAMESPACE>:host AS @host", "<NAMESPACE>:scheme AS @scheme"] } } }, "RETURN": ["<smali>:<NAMESPACE>:name AS @activity_name"] }, "CODEPARAMS": { "SEARCH": { "SEARCHFORCALLTOMETHOD": { "METHOD": "Landroid/webkit/WebView;->addJavascriptInterface", "RETURN": "<class> AS @web_view" } }, "TRACE": { "TRACEFROM": "<method>:@web_view[]->loadUrl(Ljava/lang/String;)V", "TRACETO": "<class>:@activity_name", "TRACELENGTHMAX": 10, "RETURN": "<tracepath> AS @tracepath_browsablejsbridge" } }, "GRAPH": "@tracepath_browsablejsbridge WITH <method>:<desc>:<class> AS attribute=nodename" }
各欄位含義看示例就好了,這裡不作詳解。讀者也可參考F-Secure發的文章,裡面有詳解。
總結起來,模板支援:
- AndroidManifest.xml的匹配搜索
- smali程式碼的匹配搜索
- 傳播路徑的圖表顯示,以及顯示的文件格式定義
- 函數調用參數追蹤
- 函數調用的起點與終點定義、追蹤以及追蹤深度
我直接找了個apk分析,一運行就出現以下錯誤:
python3 src/jandroid.py -f ./apps -g visjs Traceback (most recent call last): File "src/jandroid.py", line 408, in <module> inst_jandroid.fn_main() File "src/jandroid.py", line 227, in fn_main self.pull_source File "/Volumes/Macintosh/Users/riusksk/Android-Security/工具/Jandroid/src/plugins/android/main.py", line 51, in fn_start_plugin_analysis app_pull_src File "/Volumes/Macintosh/Users/riusksk/Android-Security/工具/Jandroid/src/plugins/android/requirements_checker.py", line 53, in fn_perform_initial_checks raise JandroidException( NameError: name 'JandroidException' is not defined
直接在Jandroid/src/plugins/android/requirements_checker.py開頭加以下程式碼即可解決:
from common import JandroidException
運行效果:
python3 src/jandroid.py -f ./apps -g visjs ---------------------------- JANDROID ---------------------------- INFO Creating template object. INFO 1 potential template(s) found. DEBUG Parsing /Volumes/Macintosh/Users/riusksk/Android-Security/工具/Jandroid/templates/android/sample_basic_browsable_jsbridge.template INFO Initiating Android analysis. INFO Performing basic checks. Please wait. INFO Basic checks complete. INFO Beginning analysis... DEBUG 1 app(s) to analyse, using 2 thread(s). DEBUG Created worker process 0 DEBUG Created worker process 1 DEBUG AnalyzeAPK DEBUG Analysing without session INFO Analysing ctrip.android.view_8.13.0_1248.apk in worker thread 0. DEBUG AXML contains a RESOURCE MAP DEBUG Start of Namespace mapping: prefix 47: 'android' --> uri 48: 'http://schemas.android.com/apk/res/android' DEBUG START_TAG: manifest (line=2) DEBUG found an attribute: {http://schemas.android.com/apk/res/android}versionCode='b'1248'' DEBUG found an attribute: {http://schemas.android.com/apk/res/android}versionName='b'8.13.0'' DEBUG found an attribute: ...... DEBUG Settings basic blocks childs DEBUG Creating exceptions DEBUG Parsing instructions DEBUG Parsing exceptions DEBUG Creating basic blocks in Landroid/support/constraint/solver/LinearSystem;->createRowDimensionPercent(Landroid/support/constraint/solver/LinearSystem; Landroid/support/constraint/solver/SolverVariable; Landroid/support/constraint/solver/SolverVariable; Landroid/support/constraint/solver/SolverVariable; F Z)Landroid/support/constraint/solver/ArrayRow; [access_flags=public static] @ 0x199210 ...... DEBUG Looking for subclasses of Lctrip/business/map/SimpleOverseaMapActivity; DEBUG ctrip.android.view_8.13.0_1248.apk took 349 seconds to analyse. DEBUG Finished analysing ctrip.android.view_8.13.0_1248.apk with output {'bug_obj': {'JSbridgeBrowsable': False}, 'graph_list': []}. INFO Finished analysing apps. INFO Creating custom graph. INFO Custom graph can be found at /Volumes/Macintosh/Users/riusksk/Android-Security/工具/Jandroid/output/graph/jandroid.html INFO All done.
輸出結果會在上面jandroid.html中顯示,但由於我這裡沒有檢測到滿足JSbridgeBrowsable條件的程式碼,因此html裡面的圖是空的。如果有滿足條件的程式碼,會得到類似如下的圖:
Jandroid還提供有GUI操作介面,包括模板創建功能,所以使用也很方便,運行以下命令即可打開:
python3 gui/jandroid_gui.py
比如追蹤DexClassLoader.loadClass載入外部dex文件的情況:
再舉個實例,下圖是MWR當初分析三星時,一個Unzip目錄穿越漏洞的函數傳播路徑圖,漏洞被用於Mobile Pwn2Own 2017:
所以,Jandroid還是非常適合用來挖掘邏輯漏洞的輔助工具,核心思想依然是污點追蹤的思路,操作簡單,可視化效果也很好。基於模板的訂製化,增加了其運用的靈活性,尤其對於複雜的業務邏輯設計,很適合作訂製化地批量檢測,但依然需要人工分析確認,並非完全自動化的。
