-
Notifications
You must be signed in to change notification settings - Fork 4
/
object_input_stream.py
executable file
·66 lines (52 loc) · 3.03 KB
/
object_input_stream.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
from pydiesel.reflection import ReflectionException
from drozer.modules import common, Module
class ObjectInputStream(Module, common.FileSystem, common.PackageManager, common.Provider, common.Strings, common.ZipFile):
name = "ObjectInputStream Check"
description = """
Finds applications that make use of java.io.ObjectInputStream (CVE-2014-7911: Android <5.0 Privilege Escalation)
It was identified that on Android <5.0 java.io.ObjectInputStream did not check whether the Object that is being
deserialized is actually serializable. This means that when ObjectInputStream is used on untrusted inputs, an
attacker can cause an instance of any class with a non-private parameterless constructor to be created
See:
http://seclists.org/fulldisclosure/2014/Nov/51
http://researchcenter.paloaltonetworks.com/2015/01/cve-2014-7911-deep-dive-analysis-android-system-service-vulnerability-exploitation/
"""
examples = ""
author = "/dev/null <[email protected]>"
date = "2015-05-13"
license = "BSD (3 clause)"
path = ["scanner", "misc"]
permissions = ["com.mwr.dz.permissions.GET_CONTEXT"]
def add_arguments(self, parser):
parser.add_argument("-a", "--package", "--uri", dest="package_or_uri", help="specify a package, or content uri to search", metavar="<package or uri>")
parser.add_argument("-v", "--verbose", action="store_true", help="enable verbose mode")
def execute(self, arguments):
if arguments.package_or_uri != None:
self.check_package(arguments.package_or_uri,arguments)
else:
for package in self.packageManager().getPackages(common.PackageManager.GET_PERMISSIONS):
try:
self.check_package(package.packageName, arguments)
except Exception, e:
print str(e)
def check_package(self, package, arguments):
self.deleteFile("/".join([self.cacheDir(), "classes.dex"]))
for path in self.packageManager().getSourcePaths(package):
strings = []
if ".apk" in path:
dex_file = self.extractFromZip("classes.dex", path, self.cacheDir())
if dex_file != None:
strings = self.getStrings(dex_file.getAbsolutePath())
dex_file.delete()
strings += self.getStrings(path.replace(".apk", ".odex"))
elif (".odex" in path):
strings = self.getStrings(path)
else:
continue
object_input_stream = "false"
if "java.io.ObjectInputStream" in str(strings) or "Ljava/io/ObjectInputStream" in str(strings):
object_input_stream = "true"
if object_input_stream == "true":
self.stdout.write("[color red]%s uses ObjectInputStream[/color]\n" % package)
elif arguments.verbose:
self.stdout.write("[color green]%s doesn't use ObjectInputStream[/color]\n" % package)