Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Java: Insecure Loading of Class in Android App without Package Signature Checking #14752

Open
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

masterofnow
Copy link

If a vulnerable loads classes or code of any app based solely on the package name of the app without first checking the package signature of the app, this could malicious app with the same package name to be loaded through "package namespace squatting".
If the victim user install such malicious app in the same device as the vulnerable app, the vulnerable app would load
classes or code from the malicious app, potentially leading to arbitrary code execution.

Although both uses OVAA as a target application, this QL is different from the one in #5435 that created UnsafeReflection.ql as they target different category of vulnerability.

@masterofnow masterofnow requested a review from a team as a code owner November 12, 2023 12:54
@owen-mc owen-mc changed the title CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') Java: CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') Nov 12, 2023
@masterofnow
Copy link
Author

Minor correction. I referred #5435 to when I meant to refer to #4947, in CWE-094, which also identified vulnerability in https://github.com/oversecured/ovaa.

@masterofnow
Copy link
Author

This blog https://blog.oversecured.com/Android-arbitrary-code-execution-via-third-party-package-contexts/ gives an overview for the type of vulnerability this PR meant to identify.

@masterofnow masterofnow changed the title Java: CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') Java: Insecure Loading of Class in Android App without Package Signature Checking Nov 13, 2023
@ghsecuritylab ghsecuritylab marked this pull request as draft November 13, 2023 08:03
@masterofnow masterofnow marked this pull request as ready for review November 14, 2023 01:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

1 participant