Share
## https://sploitus.com/exploit?id=PACKETSTORM:160670
Video and POC here : https://www.youtube.com/watch?v=hAPkSGxh9H0  
  
When you open a project in android studio, if gradle-wrapper.properties set  
distributionUrl=https\://  
services.gradle.org/distributions/gradle-2.6-all.zip  
<https://www.google.com/url?q=http://services.gradle.org/distributions/gradle-2.6-all.zip&sa=D&usg=AFQjCNHSuog_mDHXLFUDcfXdMkVSqzfLug>,  
then android studio will download and extract gradle-2.6-all.zip, jar file  
in this zip will be executed by java.exe. There is a  
plexus-interpolation-1.14.jar in gradle-2.6\lib\plugins and we can find  
source code here :  
https://repo1.maven.org/maven2/org/codehaus/plexus/plexus-interpolation/1.14/  
<https://www.google.com/url?q=https://repo1.maven.org/maven2/org/codehaus/plexus/plexus-interpolation/1.14/&sa=D&usg=AFQjCNHtoSofswZo0lkVN0AR6u2o5BAC6w>  
  
in  
plexus-interpolation-1.14-sources\org\codehaus\plexus\interpolation\os\OperatingSystemUtils.java  
we can find code like:  
exec( "cmd.exe /c set" );  
  
"C:\Program Files\Android\Android Studio\bin\studio64.exe" created  
"C:\Program Files\Android\Android Studio\jre\bin\java.exe" and java.exe is  
running under project directory. So if there is a cmd.exe in project  
directory it will be executed. Attacker can send a malicious project to  
victim to get remote code execution.  
  
Timeline  
Nov 25, 2020 : reported to google VRP  
Nov 25, 2020 : confirm received  
Nov 26, 2020 : triaged  
Nov 28, 2020 : "this might not be severe enough to qualify for a reward,  
though the panel will take a look at the next meeting and we'll update you  
once we've got more information"  
Dec 16, 2020 : "We have notified the team about this issue, they will  
review your report and decide whether they want to make a change or not.  
Thanks for letting us know. Regarding our Vulnerability Reward Program, the  
panel decided this issue's security impact does not meet the criteria to  
qualify for a reward in the program, so we won't be issuing a reward at  
this time"  
Dec 16, 2020 : asked why no bounty for this  
Dec 16, 2020 : "Opening untrusted code with IDEs is just inherently  
insecure. You have to trust the code you open in an IDE. We could add a  
modal dialog warning after opening any project that you should only open  
trusted projects, but developers are aware of this already. For example,  
practically all build system allows executing code if an attacker controls  
the config files, and that's something that can't be fixed and everyone  
knows it. And if you open a project in an IDE, you'll most likely want to  
build it"  
This is ridiculous. I replied : "If this happens on Xcode or Visual Studio,  
I will agree with you. But this is android studio, and apk cannot just run  
on PC. Also the malicious code execute when open the project, do not  
require take any other actions like build or debug. In my poc every file  
just looks normal not suspicious except the cmd.exe, which attacker can  
also set it attribute to hidden. From a developer's point of view, no one  
will believe open a project in android studio cause malicious code execute  
on PC"  
google replied : "Android vs desktop IDE doesn't make much difference I  
think. I wouldn't run a malicious APK in the android studio emulator, since  
it is not a security boundary. Also, I wouldn't assume that the build  
system works very differently for building an APK than building an EXE  
file. And all projects are built upon opening, it is a prerequisite for  
making essential features of the IDE work"  
I knew I cannot persuade google give me bounty so I asked for public  
disclosure, and google agreed. Now I want to explain why I think this is a  
serious problem also the reason why google refused to give me bounty is  
ridiculous again.  
  
  
  
*1.except cmd.exe everything else are just normal files.*  
*2.cmd.exe will be executed after open the project, do not require take any  
other actions like build or debug.*  
*3.even if you open and build a project like source code of some android  
malware, apk cannot run on PC, it cannot affect your PC. This is very  
different from Xcode or Visual Studio.*  
  
Last time I reported LPE in another google desktop product and they said : "As  
a part of our Vulnerability Reward Program, we decided that it does not  
meet the bar for a financial reward, but we would like to acknowledge your  
contribution to Google security in our Hall of Fame". I did not  
complain. Now same thing just happen again even I found RCE. So F***  
ridiculous to hear something like this, yes, it is a vaild vulnerability  
but we just do not want to pay even reward amounts for your vulnerability  
are listed in https://www.google.com/about/appsecurity/reward-program/.  
F*** you google.