Critical Flaw Inward Major Android Tools Targets Developers In Addition To Contrary Engineers

Finally, hither nosotros accept a vulnerability that targets Android developers together with contrary engineers, instead of app users.

Security researchers accept discovered an easily-exploitable vulnerability inwards Android application developer tools, both downloadable together with cloud-based, that could allow attackers to pocket files together with execute malicious code on vulnerable systems remotely.

The outcome was discovered past times safety researchers at the Check Point Research Team, who also released a proof of concept (PoC) attack, which they called ParseDroid.

The vulnerability resides inwards a pop XML parsing library "DocumentBuilderFactory," used past times the well-nigh mutual Android Integrated Development Environments (IDEs) similar Google's Android Studio, JetBrains' IntelliJ IDEA together with Eclipse every bit good every bit the major contrary technology scientific discipline tools for Android apps such every bit APKTool, Cuckoo-Droid together with more.

The ParseDroid flaw, technically known every bit XML External Entity (XXE) vulnerability, is triggered when a vulnerable Android evolution or contrary technology scientific discipline tool decodes an application together with tries to parse maliciously crafted "AndroidManifest.xml" file within it.

In social club words, all an assaulter ask to trigger the vulnerability is line a fast ane on the developers together with contrary engineers into loading a maliciously crafted APK file.

"By but loading the malicious 'AndroidManifest.xml' file every bit purpose of an Android project, the IDEs starts spitting out whatever file configured past times the attacker," the researchers said.

Demonstration: XML External Entity (XXE) to Remote Code Execution

Besides this, the XXE vulnerability tin also last used to inject arbitrary files anywhere on a targeted reckoner to accomplish sum remote code execution (RCE), which makes the assail surface-wide together with various.

Moreover, the assaulter doesn't require to target their victims directly, every bit the researchers advise "another assail scenario that tin last used inwards the wild to assail a massive make of Android developers past times injecting a malicious AAR (Android Archive Library) containing our XXE payload into repositories."

For educational together with demonstration purpose, researchers accept also created an online APK decoder tool that tin extract the malicious file from an APK (in this instance they used a PHP spider web shell), allowing the assaulter to execute arrangement commands on the spider web application server, every bit shown inwards the video.

"The agency nosotros chose to demonstrate this vulnerability, of course, is exactly ane of many possible assail methods that tin last used to accomplish sum RCE," the Check Point researchers wrote. "Indeed, the Path Traversal method lets us re-create whatever file to whatever place on the file system, making the assail surface-wide together with various."

Check Point researchers Eran Vaknin, Gal Elbaz, Alon Boxiner together with Oded Vanunu discovered this outcome inwards May 2017 together with reported them to all major IDEs together with tools developers, including Google, JetBrains, Eclipse together with APKTool owner.

Most of the developers, including Google, JetBrains together with APKTool owner, accept since fixed the outcome together with released patched versions.

Since all the assail methods demonstrated past times the researchers are cross-platform, developers together with contrary engineers are highly recommended to update their tools, if they haven't yet.

Share This :