Security researchers convey discovered an easily-exploitable vulnerability inwards Android application developer tools, both downloadable together with cloud-based, that could allow attackers to pocket files together with execute malicious code on vulnerable systems remotely.
The lawsuit was discovered past times safety researchers at the Check Point Research Team, who also released a proof of concept (PoC) attack, which they called ParseDroid.
The vulnerability resides inwards a pop XML parsing library "DocumentBuilderFactory," used past times the almost mutual Android Integrated Development Environments (IDEs) similar Google's Android Studio, JetBrains' IntelliJ IDEA together with Eclipse equally good equally the major contrary technology scientific discipline tools for Android apps such equally APKTool, Cuckoo-Droid together with more.
In companionship words, all an aggressor postulate to trigger the vulnerability is flim-flam the developers together with contrary engineers into loading a maliciously crafted APK file.
"By exactly loading the malicious 'AndroidManifest.xml' file equally role of an Android project, the IDEs starts spitting out whatever file configured past times the attacker," the researchers said.
Demonstration: XML External Entity (XXE) to Remote Code Execution
Besides this, the XXE vulnerability tin also last used to inject arbitrary files anywhere on a targeted reckoner to attain amount remote code execution (RCE), which makes the assail surface-wide together with various.
For educational together with demonstration purpose, researchers convey also created an online APK decoder tool that tin extract the malicious file from an APK (in this instance they used a PHP spider web shell), allowing the aggressor to execute organisation commands on the spider web application server, equally shown inwards the video.
"The means nosotros chose to demonstrate this vulnerability, of course, is exactly 1 of many possible assail methods that tin last used to attain amount RCE," the Check Point researchers wrote. "Indeed, the Path Traversal method lets us re-create whatever file to whatever place on the file system, making the assail surface-wide together with various."Check Point researchers Eran Vaknin, Gal Elbaz, Alon Boxiner together with Oded Vanunu discovered this lawsuit inwards May 2017 together with reported them to all major IDEs together with tools developers, including Google, JetBrains, Eclipse together with APKTool owner.
Most of the developers, including Google, JetBrains together with APKTool owner, convey since fixed the lawsuit together with released patched versions.
Since all the assail methods demonstrated past times the researchers are cross-platform, developers together with contrary engineers are highly recommended to update their tools, if they haven't yet.
