CVE20153860.java

/*
 * This file is licenced under the MIT licence:
 *
 * The MIT License (MIT)
 *
 * Copyright (c) 2016 Edgar Villani Peres (seizonsenryaku)
 *
 * Permission is hereby granted, free of charge, to any person obtaining a copy
 * of this software and associated documentation files (the "Software"), to deal
 * in the Software without restriction, including without limitation the rights
 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 * copies of the Software, and to permit persons to whom the Software is
 * furnished to do so, subject to the following conditions:
 *
 * The above copyright notice and this permission notice shall be included in all
 * copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 * SOFTWARE.
 */

package fuzion24.device.vulnerability.vulnerabilities.system;

import android.content.Context;
import android.os.Build;

import org.w3c.dom.Document;
import org.w3c.dom.NamedNodeMap;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

import java.io.BufferedInputStream;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.FileInputStream;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.zip.ZipEntry;
import java.util.zip.ZipInputStream;

import javax.xml.parsers.ParserConfigurationException;

import fr.xgouchet.axml.CompressedXmlParser;
import fuzion24.device.vulnerability.util.CPUArch;
import fuzion24.device.vulnerability.vulnerabilities.VulnerabilityTest;

public class CVE20153860 implements VulnerabilityTest {

    @Override
    public String getCVEorID() {
        return "CVE-2015-3860";
    }

    @Override
    public boolean isVulnerable(Context context) throws Exception {

        //versions 4.4 and below seems to not be vulnerable
        if (Build.VERSION.SDK_INT <= Build.VERSION_CODES.KITKAT) {
            return false;
        }

        boolean vulnerable = false;
        try {

            final String axmlPath = "res/layout/keyguard_password_view.xml";
            final String systemUiPath = "/system/priv-app/SystemUI/SystemUI.apk";

            final byte[] unzippedXml =
                    unzipFileToRam(systemUiPath, axmlPath);
            final Document doc =
                    new CompressedXmlParser().parseDOM(new ByteArrayInputStream(unzippedXml));
            final NodeList nodeList = doc.getElementsByTagName("EditText");
            final int numberOfNodes = nodeList.getLength();

            if (numberOfNodes == 0) {
                throw new Exception("Could not find password field " +
                        "(possible incompatible ROM Android version)");
            }

            for (int i = 0; i < numberOfNodes; i++) {
                final NamedNodeMap namedNodeMap = nodeList.item(i).getAttributes();
                final Node id = namedNodeMap.getNamedItem("android:maxLength");
                if (id == null || Integer.parseInt(id.getNodeValue()) > 500) {
                    vulnerable = true;
                    break;
                }
            }
        } catch (IOException | ParserConfigurationException e) {
            throw new Exception("Couldn't read keyguard XML layout " +
                    "(possible incompatible ROM or Android version)");
        } catch (NumberFormatException e) {
            throw new Exception("Invalid password field max length " +
                    "(possible incompatible ROM or Android version).");
        }
        return vulnerable;
    }

    @Override
    public List<CPUArch> getSupportedArchitectures() {
        final ArrayList<CPUArch> supportedArchs = new ArrayList<>();
        supportedArchs.add(CPUArch.ALL);
        return supportedArchs;
    }

    private byte[] unzipFileToRam(String zipPath, String fileToUnzipPath) throws IOException {

        final FileInputStream fileInputStream = new FileInputStream(zipPath);
        final ZipInputStream zipInputStream = new
                ZipInputStream(new BufferedInputStream(fileInputStream));

        ZipEntry zipEntry;
        ByteArrayOutputStream byteArrayOutputStream = null;
        while ((zipEntry = zipInputStream.getNextEntry()) != null) {
            final String filename = zipEntry.getName();
            if (!fileToUnzipPath.equals(filename)) {
                continue;
            }

            final int bufferSize = 1024;
            final byte buffer[] = new byte[bufferSize];
            byteArrayOutputStream = new ByteArrayOutputStream();
            int numBytesRead;
            while ((numBytesRead = zipInputStream.read(buffer, 0, bufferSize)) != -1) {
                byteArrayOutputStream.write(buffer, 0, numBytesRead);
            }
        }
        if (byteArrayOutputStream == null) {
            throw new IOException("fileToUnzipPath not found in archive.");
        }
        byte[] byteArray = byteArrayOutputStream.toByteArray();
        zipInputStream.close();
        byteArrayOutputStream.close();

        return byteArray;
    }
}