Sandbox bypass through Google Admin WebView

An issue was found in Google’s Android Admin application that allowed other
applications on the device to bypass sandbox restrictions to read arbitrary
files through the use of symbolic links.

The advisory can be downloaded here
<https://labs.mwrinfosecurity.com/system/assets/1021/original/mwri-advisory_sandbox_bypass_through_google_admin_webview.pdf>
.
Description

An issue was found when the Google Admin application received a URL via an
IPC call from any other application on the same device. The Admin
application would load this URL in a webview within its own activity. If an
attacker used a file:// URL to a file that they controlled, then it is
possible to use symbolic links to bypass Same Origin Policy and retrieve
data out of the Google Admin sandbox
Impact

A malicious application on the same device as the Google Admin application
is able to read data out of any file within the Google Admin sandbox,
bypassing the Android Sandbox.
Cause

The Google Admin application (com.google.android.apps.enterprise.cpanel),
has an exported activity that accepts an extra string calledsetup_url. This
can be triggered by any application on the device creating a new intent
with the data-uri set to http://localhost/foo and thesetup_url string set
to a file url that they can write to, such as
file://data/data/com.themalicious.app/worldreadablefile.html

The ResetPinActivity will then load this in the WebView under the
privileges of the Google Admin application.

The attacker adds HTML in to their world readable file, which includes an
iframe that will load the world readable file again within the frame after
a 1 second delay. The Google Admin application loads this file and renders
it into its WebView.

Next the attacker deletes the world readable file and replaces it with a
symbolic link of the same name that points to a file in the Google Admin
sandbox.

After one second the iframe in the WebView will load the file, which will
now point to one of its own files. Because the parent and child frames have
the same URL, the Same Origin Policy allows the parent frame to query the
contents of the child frame. This means that the HTML that the attacker
controls can read from the files loaded into the iframe and extract their
data.
Interim Workaround

Devices with Google Admin installed should not install any untrusted third
party applications.
Solution

No updated version has been released as of the time of publication
Technical Details

Refer to attached detailed advisory above.
Detailed TimelineDateSummary17/03/2015Issue disclosed to Google Security
team18/03/2015Issue acknowledged by Google Security team20/05/2015MWR request
update from Google Security team, Google Security team reply asking for 2
weeks to allow for update to be released02/06/2015MWR request update
18/06/2015Google Security acknowledge they have exceeded their own 90 day
deadline and request a delay on releasing details until
July05/08/2015MWR announce
to Google intention to disclose issue13/08/2015Advisory published

https://labs.mwrinfosecurity.com/advisories/2015/08/13/sandbox-bypass-through-google-admin-webview/


---------------------------------
@vah_13