JADX安全性研究教学文档<\/h1>

1. JADX简介<\/h2>
JADX是一款强大的Android反编译工具，能够将DEX\/APK文件反编译为Java源代码。它提供了GUI和命令行两种使用方式，是Android安全研究人员常用的工具之一。<\/p>

2. JADX历史漏洞分析<\/h2>

2.1 CVE-2022-0219 - XXE漏洞<\/h3>

漏洞描述<\/h4>
JADX曾存在XML外部实体(XXE)注入漏洞，攻击者可通过构造恶意APK文件，利用JADX解析时的XML处理不当实现任意文件读取。<\/p>

漏洞原理<\/h4>

早期版本虽然实现了XmlSecurity<\/code>类，但在实际XML解析时未调用<\/li>

导致XML解析时未禁用外部实体引用，可能加载恶意DTD或外部实体<\/li>
<\/ul>
修复方案<\/h4>
修复提交：c6a78c0d6dc990a4a0f8962d51823aa6ca3aefd2<\/a><\/p>
安全限制代码：<\/p>
public<\/span> static<\/span> DocumentBuilderFactory getSecureDbf<\/span>()<\/span> throws<\/span> ParserConfigurationException {<\/span>
<\/span><\/span>    synchronized<\/span> (<\/span>XmlSecurity.<\/span>class<\/span>)<\/span> {<\/span>
<\/span><\/span>        if<\/span> (<\/span>secureDbf ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            secureDbf =<\/span> DocumentBuilderFactory.<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>            secureDbf.<\/span>setFeature<\/span>(<\/span>"http:\/\/apache.org\/xml\/features\/disallow-doctype-decl"<\/span>,<\/span> true<\/span>);<\/span>
<\/span><\/span>            secureDbf.<\/span>setFeature<\/span>(<\/span>"http:\/\/apache.org\/xml\/features\/nonvalidating\/load-external-dtd"<\/span>,<\/span> false<\/span>);<\/span>
<\/span><\/span>            secureDbf.<\/span>setFeature<\/span>(<\/span>"http:\/\/xml.org\/sax\/features\/external-general-entities"<\/span>,<\/span> false<\/span>);<\/span>
<\/span><\/span>            secureDbf.<\/span>setFeature<\/span>(<\/span>"http:\/\/xml.org\/sax\/features\/external-parameter-entities"<\/span>,<\/span> false<\/span>);<\/span>
<\/span><\/span>            secureDbf.<\/span>setFeature<\/span>(<\/span>"http:\/\/apache.org\/xml\/features\/dom\/create-entity-ref-nodes"<\/span>,<\/span> false<\/span>);<\/span>
<\/span><\/span>            secureDbf.<\/span>setXIncludeAware<\/span>(<\/span>false<\/span>);<\/span>
<\/span><\/span>            secureDbf.<\/span>setExpandEntityReferences<\/span>(<\/span>false<\/span>);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> secureDbf;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>安全措施<\/h4>

禁用DOCTYPE声明<\/li>
禁用外部DTD加载<\/li>
禁用外部通用实体<\/li>
禁用外部参数实体<\/li>
禁用实体引用节点创建<\/li>
禁用XInclude<\/li>
禁用实体引用扩展<\/li>
<\/ul>
2.2 路径穿越任意文件覆盖漏洞<\/h3>
漏洞发现过程<\/h4>

尝试构造恶意APK文件进行测试<\/li>
分析资源名称处理逻辑<\/li>
<\/ol>
关键代码分析<\/h4>
资源别名处理方法：<\/p>
private<\/span> String getResAlias<\/span>(<\/span>int<\/span> resRef,<\/span> String origKeyName,<\/span> @Nullable<\/span> FieldNode constField)<\/span> {<\/span>
<\/span><\/span>    String name;<\/span>
<\/span><\/span>    if<\/span> (<\/span>constField ==<\/span> null<\/span> ||<\/span> constField.<\/span>getTopParentClass<\/span>().<\/span>isSynthetic<\/span>())<\/span> {<\/span>
<\/span><\/span>        name =<\/span> origKeyName;<\/span>
<\/span><\/span>    }<\/span> else<\/span> {<\/span>
<\/span><\/span>        name =<\/span> getBetterName(<\/span>root.<\/span>getArgs<\/span>().<\/span>getResourceNameSource<\/span>(),<\/span> origKeyName,<\/span> constField.<\/span>getName<\/span>());<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    Matcher matcher =<\/span> VALID_RES_KEY_PATTERN.<\/span>matcher<\/span>(<\/span>name);<\/span>
<\/span><\/span>    if<\/span> (<\/span>matcher.<\/span>matches<\/span>())<\/span> {<\/span>
<\/span><\/span>        return<\/span> name;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    String cleanedResName =<\/span> cleanName(<\/span>matcher);<\/span>
<\/span><\/span>    String newResName =<\/span> String.<\/span>format<\/span>(<\/span>"res_0x%08x"<\/span>,<\/span> resRef);<\/span>
<\/span><\/span>    if<\/span> (<\/span>cleanedResName.<\/span>isEmpty<\/span>())<\/span> {<\/span>
<\/span><\/span>        return<\/span> newResName;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> newResName +<\/span> "_"<\/span> +<\/span> cleanedResName.<\/span>toLowerCase<\/span>();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>名称验证正则表达式：<\/p>
private<\/span> static<\/span> final<\/span> Pattern VALID_RES_KEY_PATTERN =<\/span> Pattern.<\/span>compile<\/span>(<\/span>"[\\w\\d_]+"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>
只允许字母、数字和下划线组合<\/li>
<\/ul>
可能的绕过点分析<\/h4>


useRawResName<\/code>属性<\/p>

当为true时直接返回原始名称<\/li>
但默认初始化为false，仅在测试方法中为true<\/li>
<\/ul>
<\/li>

renamedKey<\/code>重命名<\/p>

已存在的resRef会直接返回之前存储的名称<\/li>
但存储的名称也是经过过滤的<\/li>
<\/ul>
<\/li>

style类型特殊处理<\/p>

style类型文件可能包含点(.)<\/li>
直接返回原始名称不做过滤<\/li>
<\/ul>
<\/li>
<\/ol>
实际利用尝试<\/h4>


修改resources.arsc文件结构<\/p>

使用010 Editor分析二进制结构<\/li>
修改资源类型为style(0x0E)<\/li>
<\/ul>
<\/li>

构造路径穿越payload<\/p>

尝试使用..\/..\/hfile<\/code>等路径<\/li>
但最终会被路径检查拦截<\/li>
<\/ul>
<\/li>
<\/ol>
路径检查机制<\/h4>
private<\/span> static<\/span> boolean<\/span> isInSubDirectoryInternal<\/span>(<\/span>File baseDir,<\/span> File file)<\/span> {<\/span>
<\/span><\/span>    File current =<\/span> file;<\/span>
<\/span><\/span>    while<\/span> (<\/span>true<\/span>)<\/span> {<\/span>
<\/span><\/span>        if<\/span> (<\/span>current ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            return<\/span> false<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        if<\/span> (<\/span>current.<\/span>equals<\/span>(<\/span>baseDir))<\/span> {<\/span>
<\/span><\/span>            return<\/span> true<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        current =<\/span> current.<\/span>getParentFile<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>
严格检查目标路径是否在基础目录下<\/li>
无法绕过<\/li>
<\/ul>
漏洞影响<\/h4>
最终发现该漏洞只能覆盖resources文件夹下的文件，无法实现真正的任意文件覆盖，属于鸡肋安全问题。<\/p>
修复方案<\/h4>
修复提交：d86449a8ea26381d0ce6fafaed7deb7542dfd70b<\/a><\/p>
3. 安全开发建议<\/h2>


XML处理安全规范<\/p>

始终使用安全的XML解析配置<\/li>
禁用所有外部实体引用<\/li>
使用白名单而非黑名单策略<\/li>
<\/ul>
<\/li>

文件路径处理规范<\/p>

对用户提供的文件名进行严格验证<\/li>
使用规范化路径进行比较<\/li>
实施严格的目录限制<\/li>
<\/ul>
<\/li>

资源处理规范<\/p>

对资源名称实施严格过滤<\/li>
避免特殊类型的例外处理<\/li>
实施多层防御机制<\/li>
<\/ul>
<\/li>
<\/ol>
4. 参考资源<\/h2>

Android资源混淆工具AndResGuard原理分析<\/a><\/li>
Android资源文件格式<\/a><\/li>
JADX GitHub仓库<\/a><\/li>
<\/ol>

JADX安全性研究教学文档<\/h1>

1. JADX简介<\/h2> JADX是一款强大的Android反编译工具，能够将DEX\/APK文件反编译为Java源代码。它提供了GUI和命令行两种使用方式，是Android安全研究人员常用的工具之一。<\/p>

2. JADX历史漏洞分析<\/h2>

2.1 CVE-2022-0219 - XXE漏洞<\/h3>

漏洞描述<\/h4> JADX曾存在XML外部实体(XXE)注入漏洞，攻击者可通过构造恶意APK文件，利用JADX解析时的XML处理不当实现任意文件读取。<\/p>

安全措施<\/h4> 禁用DOCTYPE声明<\/li> 禁用外部DTD加载<\/li> 禁用外部通用实体<\/li> 禁用外部参数实体<\/li> 禁用实体引用节点创建<\/li> 禁用XInclude<\/li>

2.2 路径穿越任意文件覆盖漏洞<\/h3>

漏洞发现过程<\/h4> 尝试构造恶意APK文件进行测试<\/li>

关键代码分析<\/h4> 资源别名处理方法：<\/p>

漏洞影响<\/h4> 最终发现该漏洞只能覆盖resources文件夹下的文件，无法实现真正的任意文件覆盖，属于鸡肋安全问题。<\/p>

修复方案<\/h4> 修复提交：d86449a8ea26381d0ce6fafaed7deb7542dfd70b<\/a><\/p>

3. 安全开发建议<\/h2> XML处理安全规范<\/p>

4. 参考资源<\/h2> Android资源混淆工具AndResGuard原理分析<\/a><\/li> Android资源文件格式<\/a><\/li> JADX GitHub仓库<\/a><\/li> <\/ol>

1. JADX简介<\/h2>
JADX是一款强大的Android反编译工具，能够将DEX\/APK文件反编译为Java源代码。它提供了GUI和命令行两种使用方式，是Android安全研究人员常用的工具之一。<\/p>

漏洞描述<\/h4>
JADX曾存在XML外部实体(XXE)注入漏洞，攻击者可通过构造恶意APK文件，利用JADX解析时的XML处理不当实现任意文件读取。<\/p>

漏洞影响<\/h4>
最终发现该漏洞只能覆盖resources文件夹下的文件，无法实现真正的任意文件覆盖，属于鸡肋安全问题。<\/p>

修复方案<\/h4>
修复提交：d86449a8ea26381d0ce6fafaed7deb7542dfd70b<\/a><\/p>

4. 参考资源<\/h2>

Android资源混淆工具AndResGuard原理分析<\/a><\/li>
Android资源文件格式<\/a><\/li>
JADX GitHub仓库<\/a><\/li> <\/ol>