Sandbox bypass through Google Admin WebView An issue was found in Google?s Android Admin application that allowed other applications on the device to bypass sandbox restrictions to read arbitrary files through the use of symbolic links. The advisory can be downloaded here <https://labs.mwrinfosecurity.com/system/assets/1021/original/mwri-advisory_sandbox_bypass_through_google_admin_webview.pdf> . Description An issue was found when the Google Admin application received a URL via an IPC call from any other application on the same device. The Admin application would load this URL in a webview within its own activity. If an attacker used a file:// URL to a file that they controlled, then it is possible to use symbolic links to bypass Same Origin Policy and retrieve data out of the Google Admin sandbox Impact A malicious application on the same device as the Google Admin application is able to read data out of any file within the Google Admin sandbox, bypassing the Android Sandbox. Cause The Google Admin application (com.google.android.apps.enterprise.cpanel), has an exported activity that accepts an extra string calledsetup_url. This can be triggered by any application on the device creating a new intent with the data-uri set to http://localhost/foo and thesetup_url string set to a file url that they can write to, such as file://data/data/com.themalicious.app/worldreadablefile.html The ResetPinActivity will then load this in the WebView under the privileges of the Google Admin application. The attacker adds HTML in to their world readable file, which includes an iframe that will load the world readable file again within the frame after a 1 second delay. The Google Admin application loads this file and renders it into its WebView. Next the attacker deletes the world readable file and replaces it with a symbolic link of the same name that points to a file in the Google Admin sandbox. After one second the iframe in the WebView will load the file, which will now point to one of its own files. Because the parent and child frames have the same URL, the Same Origin Policy allows the parent frame to query the contents of the child frame. This means that the HTML that the attacker controls can read from the files loaded into the iframe and extract their data. Interim Workaround Devices with Google Admin installed should not install any untrusted third party applications. Solution No updated version has been released as of the time of publication Technical Details Refer to attached detailed advisory above. Detailed TimelineDateSummary17/03/2015Issue disclosed to Google Security team18/03/2015Issue acknowledged by Google Security team20/05/2015MWR request update from Google Security team, Google Security team reply asking for 2 weeks to allow for update to be released02/06/2015MWR request update 18/06/2015Google Security acknowledge they have exceeded their own 90 day deadline and request a delay on releasing details until July05/08/2015MWR announce to Google intention to disclose issue13/08/2015Advisory published https://labs.mwrinfosecurity.com/advisories/2015/08/13/sandbox-bypass-through-google-admin-webview/ --------------------------------- @vah_13