lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAGoY5P+w=zmRA_Kf_x=rCbJiUEUdRJhbrzR9JSvdSZUfYYGPTw@mail.gmail.com>
Date: Fri, 14 Aug 2015 17:45:44 +0300
From: Vahagn Vardanyan <vvvaagn@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Sandbox bypass through Google Admin WebView

Sandbox bypass through Google Admin WebView

An issue was found in Google’s Android Admin application that allowed other
applications on the device to bypass sandbox restrictions to read arbitrary
files through the use of symbolic links.

The advisory can be downloaded here
<https://labs.mwrinfosecurity.com/system/assets/1021/original/mwri-advisory_sandbox_bypass_through_google_admin_webview.pdf>
.
Description

An issue was found when the Google Admin application received a URL via an
IPC call from any other application on the same device. The Admin
application would load this URL in a webview within its own activity. If an
attacker used a file:// URL to a file that they controlled, then it is
possible to use symbolic links to bypass Same Origin Policy and retrieve
data out of the Google Admin sandbox
Impact

A malicious application on the same device as the Google Admin application
is able to read data out of any file within the Google Admin sandbox,
bypassing the Android Sandbox.
Cause

The Google Admin application (com.google.android.apps.enterprise.cpanel),
has an exported activity that accepts an extra string calledsetup_url. This
can be triggered by any application on the device creating a new intent
with the data-uri set to http://localhost/foo and thesetup_url string set
to a file url that they can write to, such as
file://data/data/com.themalicious.app/worldreadablefile.html

The ResetPinActivity will then load this in the WebView under the
privileges of the Google Admin application.

The attacker adds HTML in to their world readable file, which includes an
iframe that will load the world readable file again within the frame after
a 1 second delay. The Google Admin application loads this file and renders
it into its WebView.

Next the attacker deletes the world readable file and replaces it with a
symbolic link of the same name that points to a file in the Google Admin
sandbox.

After one second the iframe in the WebView will load the file, which will
now point to one of its own files. Because the parent and child frames have
the same URL, the Same Origin Policy allows the parent frame to query the
contents of the child frame. This means that the HTML that the attacker
controls can read from the files loaded into the iframe and extract their
data.
Interim Workaround

Devices with Google Admin installed should not install any untrusted third
party applications.
Solution

No updated version has been released as of the time of publication
Technical Details

Refer to attached detailed advisory above.
Detailed TimelineDateSummary17/03/2015Issue disclosed to Google Security
team18/03/2015Issue acknowledged by Google Security team20/05/2015MWR request
update from Google Security team, Google Security team reply asking for 2
weeks to allow for update to be released02/06/2015MWR request update
18/06/2015Google Security acknowledge they have exceeded their own 90 day
deadline and request a delay on releasing details until
July05/08/2015MWR announce
to Google intention to disclose issue13/08/2015Advisory published

https://labs.mwrinfosecurity.com/advisories/2015/08/13/sandbox-bypass-through-google-admin-webview/


---------------------------------
@vah_13

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ