Video and POC here : https://www.youtube.com/watch?v=hAPkSGxh9H0
When you open a project in android studio, if gradle-wrapper.properties set
distributionUrl=https\://
services.gradle.org/distributions/gradle-2.6-all.zip
<https://www.google.com/url?q=http://services.gradle.org/distributions/gradle-2.6-all.zip&sa=D&usg=AFQjCNHSuog_mDHXLFUDcfXdMkVSqzfLug>,
then android studio will download and extract gradle-2.6-all.zip, jar file
in this zip will be executed by java.exe. There is a
plexus-interpolation-1.14.jar in gradle-2.6\lib\plugins and we can find
source code here :
https://repo1.maven.org/maven2/org/codehaus/plexus/plexus-interpolation/1.14/
<https://www.google.com/url?q=https://repo1.maven.org/maven2/org/codehaus/plexus/plexus-interpolation/1.14/&sa=D&usg=AFQjCNHtoSofswZo0lkVN0AR6u2o5BAC6w>
in
plexus-interpolation-1.14-sources\org\codehaus\plexus\interpolation\os\OperatingSystemUtils.java
we can find code like:
exec( "cmd.exe /c set" );
"C:\Program Files\Android\Android Studio\bin\studio64.exe" created
"C:\Program Files\Android\Android Studio\jre\bin\java.exe" and java.exe is
running under project directory. So if there is a cmd.exe in project
directory it will be executed. Attacker can send a malicious project to
victim to get remote code execution.
Timeline
Nov 25, 2020 : reported to google VRP
Nov 25, 2020 : confirm received
Nov 26, 2020 : triaged
Nov 28, 2020 : "this might not be severe enough to qualify for a reward,
though the panel will take a look at the next meeting and we'll update you
once we've got more information"
Dec 16, 2020 : "We have notified the team about this issue, they will
review your report and decide whether they want to make a change or not.
Thanks for letting us know. Regarding our Vulnerability Reward Program, the
panel decided this issue's security impact does not meet the criteria to
qualify for a reward in the program, so we won't be issuing a reward at
this time"
Dec 16, 2020 : asked why no bounty for this
Dec 16, 2020 : "Opening untrusted code with IDEs is just inherently
insecure. You have to trust the code you open in an IDE. We could add a
modal dialog warning after opening any project that you should only open
trusted projects, but developers are aware of this already. For example,
practically all build system allows executing code if an attacker controls
the config files, and that's something that can't be fixed and everyone
knows it. And if you open a project in an IDE, you'll most likely want to
build it"
This is ridiculous. I replied : "If this happens on Xcode or Visual Studio,
I will agree with you. But this is android studio, and apk cannot just run
on PC. Also the malicious code execute when open the project, do not
require take any other actions like build or debug. In my poc every file
just looks normal not suspicious except the cmd.exe, which attacker can
also set it attribute to hidden. From a developer's point of view, no one
will believe open a project in android studio cause malicious code execute
on PC"
google replied : "Android vs desktop IDE doesn't make much difference I
think. I wouldn't run a malicious APK in the android studio emulator, since
it is not a security boundary. Also, I wouldn't assume that the build
system works very differently for building an APK than building an EXE
file. And all projects are built upon opening, it is a prerequisite for
making essential features of the IDE work"
I knew I cannot persuade google give me bounty so I asked for public
disclosure, and google agreed. Now I want to explain why I think this is a
serious problem also the reason why google refused to give me bounty is
ridiculous again.
*1.except cmd.exe everything else are just normal files.*
*2.cmd.exe will be executed after open the project, do not require take any
other actions like build or debug.*
*3.even if you open and build a project like source code of some android
malware, apk cannot run on PC, it cannot affect your PC. This is very
different from Xcode or Visual Studio.*
Last time I reported LPE in another google desktop product and they said : "As
a part of our Vulnerability Reward Program, we decided that it does not
meet the bar for a financial reward, but we would like to acknowledge your
contribution to Google security in our Hall of Fame". I did not
complain. Now same thing just happen again even I found RCE. So F***
ridiculous to hear something like this, yes, it is a vaild vulnerability
but we just do not want to pay even reward amounts for your vulnerability
are listed in https://www.google.com/about/appsecurity/reward-program/.
F*** you google.