Comments (4)
root@d7feae1123d5:/# drozer console connect --server host.docker.internal --debug
Selecting ebe9fcc0c47b28da (Google sdk_gphone64_x86_64 12)
.. ..:.
..o.. .r..
..a.. . ....... . ..nd
ro..idsnemesisand..pr
.otectorandroidsneme.
.,sisandprotectorandroids+.
..nemesisandprotectorandroidsn:.
.emesisandprotectorandroidsnemes..
..isandp,..,rotecyayandro,..,idsnem.
.isisandp..rotectorandroid..snemisis.
,andprotectorandroidsnemisisandprotec.
.torandroidsnemesisandprotectorandroid.
.snemisisandprotectorandroidsnemesisan:
.dprotectorandroidsnemesisandprotector.
drozer Console (v3.0.1 debug mode)
dz> run scanner.provider.traversal --uri content://com.withsecure.example.sieve.provider.DBContentProvider
Attempting to run shell module
exception in module: ReflectionException: No files supported by provider at content://com.withsecure.example.sieve.provider.DBContentProvider/../../../../../../../../../../../../../../../../etc/hosts
Traceback (most recent call last):
File "/usr/local/lib/python3.10/dist-packages/drozer/console/session.py", line 402, in do_run
module.run(argv[1:])
File "/usr/local/lib/python3.10/dist-packages/drozer/modules/base.py", line 183, in run
result = self.execute(arguments)
File "/usr/local/lib/python3.10/dist-packages/drozer/modules/scanner/provider/traversal.py", line 26, in execute
self.__test_uri(arguments.package_or_uri, vulnerable)
File "/usr/local/lib/python3.10/dist-packages/drozer/modules/scanner/provider/traversal.py", line 53, in __test_uri
data = self.contentResolver().read(uri + "/../../../../../../../../../../../../../../../../etc/hosts")
File "/usr/local/lib/python3.10/dist-packages/drozer/modules/common/provider.py", line 127, in read
fd = client.openFile(self.parseUri(uri), "r")
File "/usr/local/lib/python3.10/dist-packages/pysolar/reflection/types/reflected_object.py", line 64, in _invoker
result = self._reflector.invoke(self, method_name,
File "/usr/local/lib/python3.10/dist-packages/pysolar/reflection/reflector.py", line 83, in invoke
raise ReflectionException(response.reflection_response.errormessage)
pysolar.reflection.exceptions.ReflectionException: No files supported by provider at content://com.withsecure.example.sieve.provider.DBContentProvider/../../../../../../../../../../../../../../../../etc/hosts
yup legit. we'll look into it
from drozer.
So, this is a fun one.
At its core, the problem boils down to the logic of the __test_uri()
function of the scanner.provider.traversal
module. In drozer 2, this was implemented as follows:
def __test_uri(self, uri, vulnerable):
try:
data = self.contentResolver().read(uri + "/../../../../../../../../../../../../../../../../etc/hosts")
except ReflectionException as e:
if e.message.find("java.io.FileNotFoundException") >= 0 or \
e.message.find("java.lang.IllegalArgumentException") >= 0 or \
e.message.find("java.lang.SecurityException") >= 0 or \
e.message.find("No content provider") >= 0 or \
e.message.find("RuntimeException"):
data = ""
else:
raise
if data != None and len(data) > 0:
vulnerable.add(uri)
A cursory read of the try
/except
block makes it seem like an exception should be suppressed if it contains one of five strings, and raised otherwise. So, it got ported to drozer 3 as:
def __test_uri(self, uri, vulnerable):
try:
data = self.contentResolver().read(uri + "/../../../../../../../../../../../../../../../../etc/hosts")
except ReflectionException as e:
if "java.io.FileNotFoundException" in str(e) or \
"java.lang.IllegalArgumentException" in str(e) or \
"java.lang.SecurityException" in str(e) or \
"No content provider" in str(e) or \
"RuntimeException" in str(e):
data = ""
else:
raise
if data != None and len(data) > 0:
vulnerable.add(uri)
This is all sensible at a glance, but the drozer 2 logic was actually flawed due to a missing >= 0
- if the string RuntimeException
was NOT found, string.find()
would return -1
, causing the entire if
statement to evaluate as True
. In practice, this means that it set data
to ""
if e.message
contained one of the first four strings OR didn't start with RuntimeException
. The only way for it to really go False
would be to start with RuntimeException
and not contain any of the other four strings. This probably always evaluated as True
, and so the exception was likely never raised.
Now, drozer 3's logic attempts to implement the same intention, but without the same error. As a result it ends up with a statement that throws the exception much more often. My suspicion is that drozer 2 worked by accident.
The obvious solution here appears to be to remove the if
statement entirely, and to gracefully handle all exceptions that come from the content provider. In the future, we may add handlers for scenarios like a non-existent provider (to give a meaningful message to the user), but for now this will make the module work as it did before.
Once pull request #427 is merged, please try building drozer 3 and see if this works for you. I strongly suspect it will.
We'll keep the issue open, because ideally we should add a few exception type checks here and there.
from drozer.
Keeping this open as a reminder to do further work on those exception checks
from drozer.
Okay, so, having done a bit more work on that, realistically speaking better error checking here is gonna be difficult. Different versions of Android throw different exceptions, and Catching 'Em All™ is likely not practical. Closing this for the time being - it currently works as well as drozer 2 ever did
from drozer.
Related Issues (20)
- drozer is not on `PATH` due to how Kali does `pip` HOT 2
- Byte array Extras do not work
- TimeoutError connecting to Agent HOT 2
- kali can not use docker-drozer HOT 6
- Add support for adding byte array to extra in `app.service.send` HOT 4
- Caught Exception [Errno 35] Resource temporarily unavailable and Caught Exception [Errno 22] Invalid argument HOT 17
- agent build fails HOT 1
- python setup.py bdist_wheel raises `TypeError: expected string or bytes-like object` HOT 4
- Exception occured: 'xml.etree.ElementTree.Element' object has no attribute 'getchildren' HOT 1
- local variable 'session' referenced before assignment HOT 3
- Implement old drozer-agent detection HOT 1
- Overhaul exception handling
- Review the old build process
- Fix latest version checks
- When using Docker to build an environment on a Mac, there seems to be network isolation, which prevents direct access. HOT 2
- `auxiliary.webcontentresolver` needs a little bit of love HOT 1
- Unbreak `PackageManagerProxy.installedPackages()` HOT 1
- 'local variable 'session' referenced before assignment' error HOT 1
- `app.service.send` does not include intent extras when binding a service HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from drozer.