/*
* This file is licenced under the MIT licence:
*
* The MIT License (MIT)
*
* Copyright (c) 2016 Edgar Villani Peres (seizonsenryaku)
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
package fuzion24.device.vulnerability.vulnerabilities.system;
import android.content.Context;
import android.os.Build;
import org.w3c.dom.Document;
import org.w3c.dom.NamedNodeMap;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import java.io.BufferedInputStream;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.FileInputStream;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.zip.ZipEntry;
import java.util.zip.ZipInputStream;
import javax.xml.parsers.ParserConfigurationException;
import fr.xgouchet.axml.CompressedXmlParser;
import fuzion24.device.vulnerability.util.CPUArch;
import fuzion24.device.vulnerability.vulnerabilities.VulnerabilityTest;
public class CVE20153860 implements VulnerabilityTest {
@Override
public String getCVEorID() {
return "CVE-2015-3860";
}
@Override
public boolean isVulnerable(Context context) throws Exception {
//versions 4.4 and below seems to not be vulnerable
if (Build.VERSION.SDK_INT <= Build.VERSION_CODES.KITKAT) {
return false;
}
boolean vulnerable = false;
try {
final String axmlPath = "res/layout/keyguard_password_view.xml";
final String systemUiPath = "/system/priv-app/SystemUI/SystemUI.apk";
final byte[] unzippedXml =
unzipFileToRam(systemUiPath, axmlPath);
final Document doc =
new CompressedXmlParser().parseDOM(new ByteArrayInputStream(unzippedXml));
final NodeList nodeList = doc.getElementsByTagName("EditText");
final int numberOfNodes = nodeList.getLength();
if (numberOfNodes == 0) {
throw new Exception("Could not find password field " +
"(possible incompatible ROM Android version)");
}
for (int i = 0; i < numberOfNodes; i++) {
final NamedNodeMap namedNodeMap = nodeList.item(i).getAttributes();
final Node id = namedNodeMap.getNamedItem("android:maxLength");
if (id == null || Integer.parseInt(id.getNodeValue()) > 500) {
vulnerable = true;
break;
}
}
} catch (IOException | ParserConfigurationException e) {
throw new Exception("Couldn't read keyguard XML layout " +
"(possible incompatible ROM or Android version)");
} catch (NumberFormatException e) {
throw new Exception("Invalid password field max length " +
"(possible incompatible ROM or Android version).");
}
return vulnerable;
}
@Override
public List<CPUArch> getSupportedArchitectures() {
final ArrayList<CPUArch> supportedArchs = new ArrayList<>();
supportedArchs.add(CPUArch.ALL);
return supportedArchs;
}
private byte[] unzipFileToRam(String zipPath, String fileToUnzipPath) throws IOException {
final FileInputStream fileInputStream = new FileInputStream(zipPath);
final ZipInputStream zipInputStream = new
ZipInputStream(new BufferedInputStream(fileInputStream));
ZipEntry zipEntry;
ByteArrayOutputStream byteArrayOutputStream = null;
while ((zipEntry = zipInputStream.getNextEntry()) != null) {
final String filename = zipEntry.getName();
if (!fileToUnzipPath.equals(filename)) {
continue;
}
final int bufferSize = 1024;
final byte buffer[] = new byte[bufferSize];
byteArrayOutputStream = new ByteArrayOutputStream();
int numBytesRead;
while ((numBytesRead = zipInputStream.read(buffer, 0, bufferSize)) != -1) {
byteArrayOutputStream.write(buffer, 0, numBytesRead);
}
}
if (byteArrayOutputStream == null) {
throw new IOException("fileToUnzipPath not found in archive.");
}
byte[] byteArray = byteArrayOutputStream.toByteArray();
zipInputStream.close();
byteArrayOutputStream.close();
return byteArray;
}
}