Apktool安全性研究教学文档<\/h1>

1. Apktool简介<\/h2>
Apktool是一个用于逆向工程Android APK文件的工具，它能够解码资源到近乎原始的形式，并在修改后重新构建它们。项目地址：https:\/\/github.com\/iBotPeaches\/Apktool<\/p>

2. Apktool历史漏洞分析<\/h2>

2.1 XML外部实体漏洞(XXE)<\/h3>

漏洞描述<\/strong>：
Apktool在解析AndroidManifest.xml文件时，不会禁用外部实体引用，导致存在XML外部实体注入攻击(XXE)漏洞。<\/p>

影响版本<\/strong>：
2.2.2及以下版本<\/p>

漏洞原理<\/strong>：
在fixingPublicAttrsInProviderAttributes<\/code>方法中，解析文件使用loadDocument(file)<\/code>函数：<\/p>

private<\/span> static<\/span> Document loadDocument<\/span>(<\/span>File file)<\/span>
<\/span><\/span>        throws<\/span> IOException,<\/span> SAXException,<\/span> ParserConfigurationException {<\/span>
<\/span><\/span>    DocumentBuilderFactory docFactory =<\/span> DocumentBuilderFactory.<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>    DocumentBuilder docBuilder =<\/span> docFactory.<\/span>newDocumentBuilder<\/span>();<\/span>
<\/span><\/span>    return<\/span> docBuilder.<\/span>parse<\/span>(<\/span>file);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>没有禁用外部实体，导致XXE漏洞。<\/p>
修复方案<\/strong>：

修复后的代码增加了安全限制：<\/p>
public<\/span> static<\/span> Document loadDocument<\/span>(<\/span>File file)<\/span>
<\/span><\/span>        throws<\/span> IOException,<\/span> SAXException,<\/span> ParserConfigurationException {<\/span>
<\/span><\/span>    DocumentBuilderFactory docFactory =<\/span> DocumentBuilderFactory.<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>    docFactory.<\/span>setFeature<\/span>(<\/span>FEATURE_DISABLE_DOCTYPE_DECL,<\/span> true<\/span>);<\/span>
<\/span><\/span>    docFactory.<\/span>setFeature<\/span>(<\/span>FEATURE_LOAD_DTD,<\/span> false<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        docFactory.<\/span>setAttribute<\/span>(<\/span>ACCESS_EXTERNAL_DTD,<\/span> " "<\/span>);<\/span>
<\/span><\/span>        docFactory.<\/span>setAttribute<\/span>(<\/span>ACCESS_EXTERNAL_SCHEMA,<\/span> " "<\/span>);<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>IllegalArgumentException ex)<\/span> {<\/span>
<\/span><\/span>        LOGGER.<\/span>warning<\/span>(<\/span>"JAXP 1.5 Support is required to validate XML"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    DocumentBuilder docBuilder =<\/span> docFactory.<\/span>newDocumentBuilder<\/span>();<\/span>
<\/span><\/span>    try<\/span> (<\/span>FileInputStream inputStream =<\/span> new<\/span> FileInputStream(<\/span>file))<\/span> {<\/span>
<\/span><\/span>        return<\/span> docBuilder.<\/span>parse<\/span>(<\/span>inputStream);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>利用方法<\/strong>：<\/p>

生成正常APK<\/li>
使用apktool decode后修改AndroidManifest.xml<\/li>
添加恶意XXE payload：<\/li>
<\/ol>
<!DOCTYPE manifest <!ENTITY xxe SYSTEM 'https:\/\/target\/sayhi;'><\/span>]>
<\/span><\/span>&xxe;
<\/span><\/span><\/code><\/pre>2.2 unknownFiles路径穿越漏洞<\/h3>
漏洞描述<\/strong>：

Apktool在2.2.2版本以下存在目录穿越漏洞，可以打包一个文件到恶意的apk中，在apktool解包时造成任意文件写入。<\/p>
漏洞代码<\/strong>：

在decodeUnknownFiles<\/code>方法中：<\/p>
public<\/span> void<\/span> decodeUnknownFiles<\/span>(<\/span>ExtFile apkFile,<\/span> File outDir,<\/span> ResTable resTable)<\/span>
<\/span><\/span>        throws<\/span> AndrolibException {<\/span>
<\/span><\/span>    File unknownOut =<\/span> new<\/span> File(<\/span>outDir,<\/span> UNK_DIRNAME);<\/span>
<\/span><\/span>    Directory unk =<\/span> apkFile.<\/span>getDirectory<\/span>();<\/span>
<\/span><\/span>    Set<<\/span>String><\/span> files =<\/span> unk.<\/span>getFiles<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    for<\/span> (<\/span>String file :<\/span> files)<\/span> {<\/span>
<\/span><\/span>        if<\/span> (!<\/span>isAPKFileNames(<\/span>file)<\/span> &&<\/span> !<\/span>file.<\/span>endsWith<\/span>(<\/span>".dex"<\/span>))<\/span> {<\/span>
<\/span><\/span>            unk.<\/span>copyToDir<\/span>(<\/span>unknownOut,<\/span> file);<\/span>
<\/span><\/span>            mResUnknownFiles.<\/span>addUnknownFileInfo<\/span>(<\/span>file,<\/span> String.<\/span>valueOf<\/span>(<\/span>unk.<\/span>getCompressionLevel<\/span>(<\/span>file)));<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>漏洞利用<\/strong>：

创建一个名为..\/..\/..\/aaa<\/code>的恶意APK文件，在解包时会逃逸到上级目录。<\/p>
修复方案<\/strong>：

新版本增加了路径检测：<\/p>
if<\/span> (<\/span>name.<\/span>equals<\/span>(<\/span>getPath())<\/span> ||<\/span> !<\/span> name.<\/span>startsWith<\/span>(<\/span>getPath())<\/span> ||<\/span> name.<\/span>contains<\/span>(<\/span>".."<\/span> +<\/span> separator))<\/span> {<\/span>
<\/span><\/span>    continue<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.3 CVE-2024-21633 解码时任意文件写入漏洞<\/h3>
漏洞描述<\/strong>：

通过构造特殊的资源文件名，可以在解码时实现任意文件写入。<\/p>
漏洞原理<\/strong>：

在ResFileDecoder<\/code>中，资源文件名可以被构造为路径穿越形式，如..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/tmp\/poc<\/code>。<\/p>
利用方法<\/strong>：<\/p>

使用010 Editor修改APK文件中的资源文件名<\/li>
构造恶意路径如..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/tmp\/poc<\/code><\/li>
使用apktool解码时会写入指定路径<\/li>
<\/ol>
修复方案<\/strong>：

增加了detectPossibleDirectoryTraversal<\/code>检测方法：<\/p>
public<\/span> static<\/span> boolean<\/span> detectPossibleDirectoryTraversal<\/span>(<\/span>String entry)<\/span> {<\/span>
<\/span><\/span>    if<\/span> (<\/span>OSDetection.<\/span>isWindows<\/span>())<\/span> {<\/span>
<\/span><\/span>        return<\/span> entry.<\/span>contains<\/span>(<\/span>"..\\"<\/span>)<\/span> ||<\/span> entry.<\/span>contains<\/span>(<\/span>"\\.."<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> entry.<\/span>contains<\/span>(<\/span>"..\/"<\/span>)<\/span> ||<\/span> entry.<\/span>contains<\/span>(<\/span>"\/.."<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>漏洞绕过<\/strong>：

在Windows系统上，可以使用..\/<\/code>来绕过检测，因为Windows路径兼容斜杠和反斜杠。<\/p>
3. 安全建议<\/h2>

始终使用最新版本的Apktool<\/li>
在沙箱环境中运行Apktool<\/li>
不要使用不受信任的APK文件<\/li>
定期检查Apktool的安全公告<\/li>
<\/ol>
4. 参考链接<\/h2>

https:\/\/github.com\/iBotPeaches\/Apktool\/security\/advisories\/GHSA-2hqv-2xv4-5h5w<\/li>
https:\/\/research.checkpoint.com\/2017\/parsedroid-targeting-android-development-research-community\/<\/li>
https:\/\/github.com\/iBotPeaches\/Apktool\/commit\/d348c43b24a9de350ff6e5bd610545a10c1fc712<\/li>
https:\/\/thinkycx.me\/2017-12-18-Apktool-XXE-analysis.html<\/li>
https:\/\/omasko.github.io\/2018\/03\/17\/apktool漏洞利用分析\/<\/li>
<\/ol>

Apktool安全性研究教学文档<\/h1>

1. Apktool简介<\/h2> Apktool是一个用于逆向工程Android APK文件的工具，它能够解码资源到近乎原始的形式，并在修改后重新构建它们。项目地址：https:\/\/github.com\/iBotPeaches\/Apktool<\/p>

2. Apktool历史漏洞分析<\/h2>

1. Apktool简介<\/h2>
Apktool是一个用于逆向工程Android APK文件的工具，它能够解码资源到近乎原始的形式，并在修改后重新构建它们。项目地址：https:\/\/github.com\/iBotPeaches\/Apktool<\/p>