Mark 2.5.4 release (#504)

* Prevent command.log from being appended to when run in a loop

* Ignore a rather stupid vulnerability scan alert for pip

.safety-policy.yml

@@ -0,0 +1,9 @@
+# Safety Security and License Configuration file
+# We recommend checking this file into your source control in the root of your Python project
+# If this file is named .safety-policy.yml and is in the same directory where you run `safety check` it will be used by default.
+# Otherwise, you can use the flag `safety check --policy-file <path-to-this-file>` to specify a custom location and name for the file.
+# To validate and review your policy file, run the validate command: `safety validate policy_file --path <path-to-this-file>`
+security: # configuration for the `safety check` command
+    ignore-vulnerabilities: # Here you can list multiple specific vulnerabilities you want to ignore (optionally for a time period)
+        67599: # Example vulnerability ID
+            reason: disputed, inapplicable

mvt/android/artifacts/dumpsys_accessibility.py

@@ -4,6 +4,7 @@
 #   https://license.mvt.re/1.1/
 
 from .artifact import AndroidArtifact
+import re
 
 
 class DumpsysAccessibilityArtifact(AndroidArtifact):
@@ -25,6 +26,8 @@ class DumpsysAccessibilityArtifact(AndroidArtifact):
 
         :param content: content of the accessibility section (string)
         """
+
+        # "Old" syntax
         in_services = False
         for line in content.splitlines():
             if line.strip().startswith("installed services:"):
@@ -35,6 +38,7 @@ class DumpsysAccessibilityArtifact(AndroidArtifact):
                 continue
 
             if line.strip() == "}":
+                # At end of installed services
                 break
 
             service = line.split(":")[1].strip()
@@ -45,3 +49,19 @@ class DumpsysAccessibilityArtifact(AndroidArtifact):
                     "service": service,
                 }
             )
+
+        # "New" syntax - AOSP >= 14 (?)
+        # Looks like:
+        # Enabled services:{{com.azure.authenticator/com.microsoft.brooklyn.module.accessibility.BrooklynAccessibilityService}, {com.agilebits.onepassword/com.agilebits.onepassword.filling.accessibility.FillingAccessibilityService}}
+
+        for line in content.splitlines():
+            if line.strip().startswith("Enabled services:"):
+                matches = re.finditer(r"{([^{]+?)}", line)
+
+                for match in matches:
+                    # Each match is in format: <package_name>/<service>
+                    package_name, _, service = match.group(1).partition("/")
+
+                    self.results.append(
+                        {"package_name": package_name, "service": service}
+                    )

mvt/android/artifacts/settings.py

@@ -51,6 +51,11 @@ ANDROID_DANGEROUS_SETTINGS = [
         "key": "install_non_market_apps",
         "safe_value": "0",
     },
+    {
+        "description": "enabled accessibility services",
+        "key": "accessibility_enabled",
+        "safe_value": "0",
+    },
 ]
 
 

mvt/common/command.py

@@ -85,6 +85,15 @@ class Command:
         )
         file_handler.setLevel(logging.DEBUG)
         file_handler.setFormatter(formatter)
+
+        # MVT can be run in a loop
+        # Old file handlers stick around in subsequent loops
+        # Remove any existing logging.FileHandler instances
+        for handler in logger.handlers:
+            if isinstance(handler, logging.FileHandler):
+                logger.removeHandler(handler)
+
+        # And finally add the new one
         logger.addHandler(file_handler)
 
     def _store_timeline(self) -> None:

mvt/common/utils.py

@@ -59,6 +59,9 @@ def convert_datetime_to_iso(date_time: datetime.datetime) -> str:
     :rtype: str
 
     """
+    if not date_time:
+        return ""
+
     if date_time.tzinfo:
         # Timezone aware object - convert to UTC
         date_time = date_time.astimezone(tz=datetime.timezone.utc)

mvt/common/version.py

@@ -3,4 +3,4 @@
 # Use of this software is governed by the MVT License 1.1 that can be found at
 #   https://license.mvt.re/1.1/
 
-MVT_VERSION = "2.5.3"
+MVT_VERSION = "2.5.4"

mvt/ios/data/ios_versions.json

@@ -988,6 +988,10 @@
         "version": "16.7.7",
         "build": "20H330"
     },
+    {
+        "version": "16.7.8",
+        "build": "20H343"
+    },
     {
         "version": "17.0",
         "build": "21A327"
@@ -1055,5 +1059,13 @@
     {
         "version": "17.4.1",
         "build": "21E237"
+    },
+    {
+        "version": "17.5",
+        "build": "21F79"
+    },
+    {
+        "version": "17.5.1",
+        "build": "21F90"
     }
 ]

tests/android/test_artifact_dumpsys_accessibility.py

@@ -26,6 +26,18 @@ class TestDumpsysAccessibilityArtifact:
             == "com.android.settings/com.samsung.android.settings.development.gpuwatch.GPUWatchInterceptor"
         )
 
+    def test_parsing_v14_aosp_format(self):
+        da = DumpsysAccessibilityArtifact()
+        file = get_artifact("android_data/dumpsys_accessibility_v14_or_later.txt")
+        with open(file) as f:
+            data = f.read()
+
+        assert len(da.results) == 0
+        da.parse(data)
+        assert len(da.results) == 1
+        assert da.results[0]["package_name"] == "com.malware.accessibility"
+        assert da.results[0]["service"] == "com.malware.service.malwareservice"
+
     def test_ioc_check(self, indicator_file):
         da = DumpsysAccessibilityArtifact()
         file = get_artifact("android_data/dumpsys_accessibility.txt")

tests/artifacts/android_data/dumpsys_accessibility_v14_or_later.txt

@@ -0,0 +1,46 @@
+DUMP OF SERVICE accessibility:
+Service host process PID: 633
+Threads in use: 0/14
+Client PIDs: 2445, 2428, 2405, 2235, 2215, 2164, 2148, 2130, 2104, 2062, 1879, 1824, 1736, 1748, 1746, 1617, 1605, 1606, 1582, 1538, 1523, 1474, 1307, 1237, 1118, 1081, 1076, 1023, 997, 978, 882, 187
+ACCESSIBILITY MANAGER (dumpsys accessibility)
+
+currentUserId=0
+hasWindowMagnificationConnection=false
+Magnifier on display#0
+    MagnificationConfig[mode: 1, activated: false, scale: 1.0, centerX: 360.0, centerY: 640.0] 
+    Magnification region=SkRegion((3,3,717,1277))
+    IdOfLastServiceToMagnify=-1
+    SupportWindowMagnification=true
+    WindowMagnificationConnectionState=DISCONNECTED
+User state[
+     attributes:{id=0, touchExplorationEnabled=false, serviceHandlesDoubleTap=false, requestMultiFingerGestures=false, requestTwoFingerPassthrough=false, sendMotionEventsEnabledfalse, displayMagnificationEnabled=false, autoclickEnabled=false, nonInteractiveUiTimeout=0, interactiveUiTimeout=0, installedServiceCount=2, magnificationModes={0=1}, magnificationCapabilities=3, audioDescriptionByDefaultEnabled=false, magnificationFollowTypingEnabled=true, alwaysOnMagnificationEnabled=true}
+     shortcut key:{}
+     button:{}
+     button target:{null}
+     Bound services:{Service[label=Accessibility service, feedbackType[FEEDBACK_SPOKEN, FEEDBACK_HAPTIC, FEEDBACK_AUDIBLE, FEEDBACK_VISUAL, FEEDBACK_GENERIC, FEEDBACK_BRAILLE], capabilities=11, eventTypes=TYPES_ALL_MASK, notificationTimeout=1000, requestA11yBtn=false]}
+     Enabled services:{{com.malware.accessibility/com.malware.service.malwareservice}}
+     Binding services:{}
+     Crashed services:{}
+     Client list info:{
+          Client list callbacks: 6
+          Client list killed: false
+          Client list broadcasts count: -1
+          Registered clients:{
+[com.malware.accessibility][com.android.launcher3][com.android.systemui][com.android.launcher3][com.android.settings.intelligence][com.android.inputmethod.latin]}]
+
+Window attributes:[{1=AccessibilityWindowAttributes{mAccessibilityWindowTitle=nullmLocales=[en_US]}, 2=AccessibilityWindowAttributes{mAccessibilityWindowTitle=nullmLocales=[en_US]}, 3=AccessibilityWindowAttributes{mAccessibilityWindowTitle=nullmLocales=[en_US]}, 4=AccessibilityWindowAttributes{mAccessibilityWindowTitle=nullmLocales=[en_US]}, 5=AccessibilityWindowAttributes{mAccessibilityWindowTitle=nullmLocales=[en_US]}, 6=AccessibilityWindowAttributes{mAccessibilityWindowTitle=nullmLocales=[en_US]}, 7=AccessibilityWindowAttributes{mAccessibilityWindowTitle=HomemLocales=[en_US]}, 9=AccessibilityWindowAttributes{mAccessibilityWindowTitle=SettingsmLocales=[en_US]}, 10=AccessibilityWindowAttributes{mAccessibilityWindowTitle=Settings SuggestionsmLocales=[en_US]}}]
+A11yInputFilter Info : 
+Enabled features of Display [0] = [KeyboardInterceptor]
+Global client list info:{
+    Client list callbacks: 4
+    Client list killed: false
+    Client list broadcasts count: -1
+    Registered clients:{
+[com.android.permissioncontroller][com.android.dynsystem, com.android.server.telecom, com.android.keychain, com.android.settings, com.android.localtransport, com.android.wallpaperbackup, com.android.inputdevices, com.android.providers.settings, android, com.android.emulator.multidisplay, com.android.location.fused][com.android.emulator.multidisplay, com.android.wallpaperbackup, com.android.settings, com.android.keychain, com.android.dynsystem, com.android.inputdevices, com.android.providers.settings, com.android.localtransport, com.android.server.telecom, android, com.android.location.fused][com.android.systemui]
+
+Proxy manager state:
+    Number of proxy connections: 0
+    Registered proxy connections:
+Accessibility Display Listener:
+    SystemUI uid: 10076
+    1 valid display: 0