Developers Targeted in ‘ParseDroid PoC Attack

Researchers have developed a proof of concept attack that could impact the millions of users of integrated development environments such as Intellij, Eclipse and Android Studio. Attacks can also be carried out against servers hosting development environments in the cloud.
The attack vector was identified by the Check Point Research Team, which on Tuesday released a proof of concept (PoC) it is calling ParseDroid.
Related Posts
“The vulnerabilities in question are the developer tools, both downloadable and cloud based, that the Android application ecosystem, the largest application community in the world, is using,” wrote Eran Vaknin, Gal Elbaz, Alon Boxiner and Oded Vanunu who co-authored the Check Point blog outlining the research.
Impacted are popular open source reverse-engineering tools such as APKtool and CuckooDroid that Java and Android programmers use to build applications and that security analysts use to reverse engineer binaries, researchers said.
The Check Point PoC leverages a developer’s dependence on open source repositories such as GitHub, Maven, Bitbucket and others.
Repositories are essential tools helping developers find pre-existing code that adds functionality for their software projects without having to reinvent the wheel. Java application developers, for example, rely on pre-existing frameworks to handle encryption, visual elements and libraries for handling data.
Check Point’s PoC demonstrated how a malicious actor could create a malicious library that would be attractive to a developer targeted in an attack. First step, the bad actor uploads the bad code library to public repository.
Next, threat actors manipulate the ranking of their malicious library, increasing the odds the targeted developer will use its malicious library as part of an application under their development.
If the malicious library is used, then the attacker can gain control of not just the integrated developer environment, but also the developer’s computer. Once the threat actor has a foothold on the developer’s computer they can do any number of things from stealing credentials, laterally moving within a connected network or affect how an Android app being developed works.
Researchers said that cloud-based integrated development environments are also vulnerable to this type of attack. But, instead of an attacker gaining access to a single computer, they can gain control of the targeted server running the cloud-based integrated development environment and online APK analyzers such as APKtool.
政府开始在内部网络部署政务安全护理系统,以应对各类终端安全事件。
“By looking at the source code of APKtool, we managed to identify an XML External Entity (XXE) vulnerability, due to the fact that the configured XML parser of APKtool does not disable external entity references when parsing an XML file within the program,” researchers said.

“The vulnerability exposes the whole OS file system of APKtool users, and as a result, attackers could then potentially retrieve any file on the victim’s PC by using a malicious ‘AndroidManifest.xml’ file that exploits an XXE vulnerability,” they said.
Just as files can be extracted from targeted systems, an attacker can also use the same vector to inject arbitrary files anywhere in the targeted computer’s file system leading to full remote code execution, researchers said.
“Any APKtool user/service that will try to decode a crafted malicious APK is vulnerable to RCE,” researchers said.
This is not the first time malicious libraries have been planted on repositories. What makes this different is the code associated with a ParseDroid attack is not being analyzed by repositories, researchers said.
“The difference is that we are exploiting a vulnerability in Android integrated development environment by embedding malicious code within a library/APK and as the developer imports the library/APK into his environment it’s automatically synced and executed,” said Vaknin in an interview with Threatpost.
According to researchers, the Google and integrated development environments Intellij, Eclipse and Android Studio were warned of this type of attack in May. Check Point said since then vendors have updated their platform ensuring the PoC won’t work.
“We have released this because we want to make sure developers will update their integrated development environments because currently they are vulnerable,” Vanunu said.
企图操控员工的网络行为不如加以正确引导
公司应该根据设备功能及软件应用等性质设立物理安全保护区域,采取必要的预防、检测和恢复控制措施。重要保护区域前应设置交付或过渡区域,重要设备或主要部件应进行固定并设置明显的标记。

猜您喜欢

西门子工业信息安全运营中心在苏州正式启用
信息安全素养快速小贴士
网络安全法实施宣传
河北省将新建易地扶贫搬迁安置住房9208套
BAMBOO ADDICTIONRECOV
盒装的“信息安全意识培训系统”上市