lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201301071334.r07DYRWr021005@sf01web3.securityfocus.com>
Date: Mon, 7 Jan 2013 13:34:27 GMT
From: mbsdtest01@...il.com
To: bugtraq@...urityfocus.com
Subject: Chrome for Android - Bypassing SOP for Local Files By Symlinks

CVE Number:         CVE-2012-4908
Title:              Chrome for Android - Bypassing SOP for Local Files By Symlinks
Affected Software:  Confirmed on Chrome for Android v18.0.1025123
Credit:             Takeshi Terada
Issue Status:       v18.0.1025308 was released which fixes this vulnerability

Overview:
  Chrome for Android's Same-Origin Policy for local files (file: URI) can be
  bypassed by using symbolic links. It results in theft of Chrome's private
  files by malicious Android apps.

Details:
  Chrome for Android seems to forbid a local file to read another file,
  except for the originating file itself.

  http://code.google.com/p/chromium/issues/detail?id=37586

  However, it is possible to circumvent the restriction by a trick using
  symbolic link.

  This issue enables malicious Android apps to steal Chrome's private
  files such as Chrome's Cookie file, bookmark file, and so on.

  As an example, steps to steal Chrome's Cookie file are described below:

  1. An attacker's app creates a malicious HTML file, and makes Chrome load
     its URL with file: URI. The malicious HTML contains JavaScript code
     which, a few seconds later, tries to read the content of same URL with
     the malicious HTML itself via XMLHttpRequest.

     <body>
     <u>Wait a few seconds.</u>
     <script>
     function doitjs() {
       var xhr = new XMLHttpRequest;
       xhr.onload = function() {
         alert(xhr.responseText);
       };
       xhr.open('GET', document.URL);
       xhr.send(null);
     }
     setTimeout(doitjs, 8000);
     </script>
     </body>

  2. Before XHR fires, the attacker's app replaces the malicious
     HTML file with a symlink pointing to Chrome's Cookie file.

  3. When XHR fires, Chrome follows the symlink and provides the
     content of the Chrome's Cookie file to the malicious HTML.

  The attacker's app can also get the content of Chrome's other private
  files in a similar manner.

Proof of Concept:
  HTML/JavaScript is shown above. At present I do not have plans to disclose
  PoC of malicious Android app.

Timeline:
  2012/08/19  Reported to Google security team
  2012/08/25  Re-reported to Chrome security team
  2012/09/12  Vender announced v18.0.1025308
  2013/01/07  Disclosure of this advisory

Recommendation:
  Upgrade to the latest version.

Reference:
  http://googlechromereleases.blogspot.jp/2012/09/chrome-for-android-update.html
  https://code.google.com/p/chromium/issues/detail?id=144866

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ