Dropbox SDK for Android Remote Exploitation *youtube

2015.03.11
Credit: Rose Hay
Risk: High
Local: No
Remote: Yes
CWE: CWE-200


Ogólna skala CVSS: 2.6/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 4.9/10
Wymagany dostęp: Zdalny
Złożoność ataku: Wysoka
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Brak
Wpływ na dostępność: Brak

The CVE-2014-8889 vulnerability lets adversaries insert an arbitrary access token into the Dropbox SDK, completely bypassing the nonce protection. protected void onCreate(Bundle savedInstanceState) { ... Intent intent = getIntent(); ... webHost = intent.getStringExtra(EXTRA_INTERNAL_WEB_HOST); if (null == webHost) { webHost = DEFAULT_WEB_HOST; } ... } protected void onResume() { ... String state = createStateNonce(); ... if (hasDropboxApp(officialIntent)) { startActivity(officialIntent); } else { startWebAuth(state); } ... authStateNonce = state; } private void startWebAuth(String state) { String path = "/connect"; Locale locale = Locale.getDefault(); String[] params = { "locale", locale.getLanguage()+"_"+locale.getCountry(), "k", appKey, "s", getConsumerSig(), "api", apiType, "state", state}; String url = RESTUtility.buildURL(webHost, DropboxAPI.VERSION, path, params); Intent intent = new Intent(Intent.ACTION_VIEW, Uri.parse(url)); startActivity(intent); } This code belongs to the Activity that is responsible for the Dropbox authentication. It consumes various Intent extra parameters. Since the browser can invoke this Activity, it can be launched by both malware and malicious websites with an arbitrary Intent payload. Therefore, special care must be taken when consuming this Intent's payload. Consumption of a particular Intent extra parameter, named INTERNAL_WEB_HOST, has devastating results. When the browser is used (i.e., the Dropbox app is not installed) to authenticate the user and authorize the app to access the user's Dropbox account, this parameter eventually controls the host that the browser surfs to. If the attacker can generate an Intent targeting the activity, with INTERNAL_WEB_HOST pointing to his or her server, the authentication process will take place with the nonce sent to the attacker.

Referencje:

https://www.youtube.com/watch?v=v3T_giEpF44
http://securityintelligence.com/droppedin-remotely-exploitable-vulnerability-in-the-dropbox-sdk-for-android#.VQAfuBDF-rF


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top