October 31, 2012

Google Chrome for Android — UXSS and Credential Disclosure

Here we go.
In July 2011, Roee Hay and Yair Amit from the IBM Research Group found the UXSS vulnerability in the default Android browser. This bug allows a malicious application to insert JavaScript code in the context of an arbitrary domain and stole Cookies or to do some evil things. Anyway, this bug was fixed in Android 2.3.5.

On June 21, 2012, Google Chrome for Android was released. I’ve found some interesting bugs there. Just have a look.

UXSS

As expected, the main Chrome activity isn't affected by this vulnerability. However, let’s view the AndroidManifest.xml file from Chrome .apk.


You can see that the class com.google.android.apps.chrome.SimpleChromeActivity can be called from another application, since it has the directive declared.

Decompile classes.dex from apk and look at the SimpleChromeActivity class.


The onCreate method provided above shows that a new URL will be loaded in the current tab without opening a new tab.

Here is a couple of ways to start this activity — via Android API or Activity Manager. Calls from Android API are a bit complicated, so I used "am" command from the adb shell.

shell@android:/ $ am start -n com.android.chrome/com.google.android.apps.chrome.SimpleChromeActivity -d 'http://www.google.ru'


I think here is a non-security problem with content displaying. As we can judge by the title, Chrome loaded www.google.ru in SimpleChromeActivity instead of Main, and this activity has access to the Chrome Cookies database. The next step is injecting JavaScript code.

shell@android:/ $ am start -n com.android.chrome/com.google.android.apps.chrome.SimpleChromeActivity -d 'javascript:alert(document.cookie)'


Voilà, JavaScript has been executed in the context of the domain www.google.ru.

CREDENTIAL DISCLOSURE

Another problem — automatic file downloading — was a real headache for all Chrome-like browsers. If you opened a binary file in the Chrome browser, it was downloaded without your approval to the SDCard directory. The same thing happened with a default browser, where this "feature" was used by NonCompatible malware. So you may ask what it has to do with credential disclosure. Look at the Chrome directory on the system.



These files (such as Cookies, History, etc) can be read only by Chrome app. It looks secure. Try to launch Chrome using the file:// wrapper and open the Cookies file.

shell@android:/ $ am start -n com.android.chrome/com.android.chrome.Main -d 'file:///data/data/com.android.chrome/app_chrome/Default/Cookies'


When the browser starts, Cookies are downloaded/copied to /sdcard/Downloads/Cookies.bin and can be read by any application of the system.

I provided detailed information to the Chromium security team, and these bugs were fixed in version 18.0.1025308.

Links:
http://code.google.com/p/chromium/issues/detail?id=138035
http://code.google.com/p/chromium/issues/detail?id=138210

Author: Artem Chaykin, Positive Research.

17 comments:

  1. Custom Creation Paints have produced a number of specialty custom paints each with a character of their own. We specialize in custom spray paints, and all but two of our paints are applied with spray guns. Thermal Touch is one of our paints that can be applied with a brush. It is a heat-sensitive product, which means it reacts to heat and changes color with the rise in temperature, and unlike our original Thermal product, it is applied with a brush or roller. This makes it a perfect choice for your home, especially if you want to add depth and dimension to your walls by allowing them to change colors faintly with the temperature of the room. Even furniture can look great with Thermal Touch paints.
    spray on chrome
    spectrachrome
    chrome fx
    fantachrome
    silver nitrate
    silver nitrate chrome
    chrome chemicals
    chrome solutions
    chrome effect
    chrome spray
    vacuum metalization
    chrome paint for plastic

    ReplyDelete

  2. Nice post . Very help ful and informatic. This is incredibly amazing, I cannot imagine the world without genius people who keep on giving the world something to be amazed about. A ful Android
    Cyanogenmod Branding Disappears from OnePlus One
    Android Developer Kit
    LG G Flex 2 release date
    Details for battery life of Apple Watch leaked

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete
  5. This comment has been removed by a blog administrator.

    ReplyDelete
  6. This comment has been removed by a blog administrator.

    ReplyDelete
  7. This comment has been removed by a blog administrator.

    ReplyDelete
  8. This comment has been removed by a blog administrator.

    ReplyDelete
  9. This comment has been removed by a blog administrator.

    ReplyDelete
  10. This comment has been removed by a blog administrator.

    ReplyDelete
  11. This comment has been removed by a blog administrator.

    ReplyDelete
  12. This comment has been removed by a blog administrator.

    ReplyDelete
  13. This comment has been removed by a blog administrator.

    ReplyDelete
  14. This comment has been removed by a blog administrator.

    ReplyDelete
  15. This comment has been removed by a blog administrator.

    ReplyDelete
  16. This comment has been removed by a blog administrator.

    ReplyDelete
  17. This comment has been removed by a blog administrator.

    ReplyDelete