Researchers have developed a proof of concept attack that could impact the millions of users of integrated development environments such as Intellij, Eclipse and Android Studio. Attacks can also be carried out against servers hosting development environments in the cloud.
The attack vector was identified by the Check Point Research Team, which on Tuesday released a proof of concept (PoC) it is calling ParseDroid.
“The vulnerabilities in question are the developer tools, both downloadable and cloud based, that the Android application ecosystem, the largest application community in the world, is using,” wrote Eran Vaknin, Gal Elbaz, Alon Boxiner and Oded Vanunu who co-authored the Check Point blog outlining the research.
Impacted are popular open source reverse-engineering tools such as APKtool and CuckooDroid that Java and Android programmers use to build applications and that security analysts use to reverse engineer binaries, researchers said.
The Check Point PoC leverages a developer’s dependence on open source repositories such as GitHub, Maven, Bitbucket and others.
Repositories are essential tools helping developers find pre-existing code that adds functionality for their software projects without having to reinvent the wheel. Java application developers, for example, rely on pre-existing frameworks to handle encryption, visual elements and libraries for handling data.
Check Point’s PoC demonstrated how a malicious actor could create a malicious library that would be attractive to a developer targeted in an attack. First step, the bad actor uploads the bad code library to public repository.
Next, threat actors manipulate the ranking of their malicious library, increasing the odds the targeted developer will use its malicious library as part of an application under their development.
If the malicious library is used, then the attacker can gain control of not just the integrated developer environment, but also the developer’s computer. Once the threat actor has a foothold on the developer’s computer they can do any number of things from stealing credentials, laterally moving within a connected network or affect how an Android app being developed works.
Researchers said that cloud-based integrated development environments are also vulnerable to this type of attack. But, instead of an attacker gaining access to a single computer, they can gain control of the targeted server running the cloud-based integrated development environment and online APK analyzers such as APKtool.
“By looking at the source code of APKtool, we managed to identify an XML External Entity (XXE) vulnerability, due to the fact that the configured XML parser of APKtool does not disable external entity references when parsing an XML file within the program,” researchers said.
“The vulnerability exposes the whole OS file system of APKtool users, and as a result, attackers could then potentially retrieve any file on the victim’s PC by using a malicious ‘AndroidManifest.xml’ file that exploits an XXE vulnerability,” they said.
Just as files can be extracted from targeted systems, an attacker can also use the same vector to inject arbitrary files anywhere in the targeted computer’s file system leading to full remote code execution, researchers said.
“Any APKtool user/service that will try to decode a crafted malicious APK is vulnerable to RCE,” researchers said.
This is not the first time malicious libraries have been planted on repositories. What makes this different is the code associated with a ParseDroid attack is not being analyzed by repositories, researchers said.
“The difference is that we are exploiting a vulnerability in Android integrated development environment by embedding malicious code within a library/APK and as the developer imports the library/APK into his environment it’s automatically synced and executed,” said Vaknin in an interview with Threatpost.
According to researchers, the Google and integrated development environments Intellij, Eclipse and Android Studio were warned of this type of attack in May. Check Point said since then vendors have updated their platform ensuring the PoC won’t work.
“We have released this because we want to make sure developers will update their integrated development environments because currently they are vulnerable,” Vanunu said.