Pages

Wednesday, October 31, 2012

Google Chrome for Android — UXSS and Credential Disclosure

Here we go.
In July 2011, Roee Hay and Yair Amit from the IBM Research Group found the UXSS vulnerability in the default Android browser. This bug allows a malicious application to insert JavaScript code in the context of an arbitrary domain and stole Cookies or to do some evil things. Anyway, this bug was fixed in Android 2.3.5.

On June 21, 2012, Google Chrome for Android was released. I’ve found some interesting bugs there. Just have a look.

UXSS

As expected, the main Chrome activity isn't affected by this vulnerability. However, let’s view the AndroidManifest.xml file from Chrome .apk.


You can see that the class com.google.android.apps.chrome.SimpleChromeActivity can be called from another application, since it has the directive declared.

Decompile classes.dex from apk and look at the SimpleChromeActivity class.


The onCreate method provided above shows that a new URL will be loaded in the current tab without opening a new tab.

Here is a couple of ways to start this activity — via Android API or Activity Manager. Calls from Android API are a bit complicated, so I used "am" command from the adb shell.

shell@android:/ $ am start -n com.android.chrome/com.google.android.apps.chrome.SimpleChromeActivity -d 'http://www.google.ru'


I think here is a non-security problem with content displaying. As we can judge by the title, Chrome loaded www.google.ru in SimpleChromeActivity instead of Main, and this activity has access to the Chrome Cookies database. The next step is injecting JavaScript code.

shell@android:/ $ am start -n com.android.chrome/com.google.android.apps.chrome.SimpleChromeActivity -d 'javascript:alert(document.cookie)'


Voilà, JavaScript has been executed in the context of the domain www.google.ru.

CREDENTIAL DISCLOSURE

Another problem — automatic file downloading — was a real headache for all Chrome-like browsers. If you opened a binary file in the Chrome browser, it was downloaded without your approval to the SDCard directory. The same thing happened with a default browser, where this "feature" was used by NonCompatible malware. So you may ask what it has to do with credential disclosure. Look at the Chrome directory on the system.



These files (such as Cookies, History, etc) can be read only by Chrome app. It looks secure. Try to launch Chrome using the file:// wrapper and open the Cookies file.

shell@android:/ $ am start -n com.android.chrome/com.android.chrome.Main -d 'file:///data/data/com.android.chrome/app_chrome/Default/Cookies'


When the browser starts, Cookies are downloaded/copied to /sdcard/Downloads/Cookies.bin and can be read by any application of the system.

I provided detailed information to the Chromium security team, and these bugs were fixed in version 18.0.1025308.

Links:
http://code.google.com/p/chromium/issues/detail?id=138035
http://code.google.com/p/chromium/issues/detail?id=138210

Author: Artem Chaykin, Positive Research.

17 comments:

  1. Custom Creation Paints have produced a number of specialty custom paints each with a character of their own. We specialize in custom spray paints, and all but two of our paints are applied with spray guns. Thermal Touch is one of our paints that can be applied with a brush. It is a heat-sensitive product, which means it reacts to heat and changes color with the rise in temperature, and unlike our original Thermal product, it is applied with a brush or roller. This makes it a perfect choice for your home, especially if you want to add depth and dimension to your walls by allowing them to change colors faintly with the temperature of the room. Even furniture can look great with Thermal Touch paints.
    spray on chrome
    spectrachrome
    chrome fx
    fantachrome
    silver nitrate
    silver nitrate chrome
    chrome chemicals
    chrome solutions
    chrome effect
    chrome spray
    vacuum metalization
    chrome paint for plastic

    ReplyDelete

  2. Nice post . Very help ful and informatic. This is incredibly amazing, I cannot imagine the world without genius people who keep on giving the world something to be amazed about. A ful Android
    Cyanogenmod Branding Disappears from OnePlus One
    Android Developer Kit
    LG G Flex 2 release date
    Details for battery life of Apple Watch leaked

    ReplyDelete
  3. I have read your blog and i got a very useful and knowledgeable information from your blog.its really a very nice article.You have done a great job . If anyone want to get Best Selenium training institutes in Chennai, Please visit Greens Technologies located at Chennai Adyar which offer Best Selenium Training in Chennai.

    ReplyDelete
  4. I have read your blog and i got a very useful and knowledgeable information from your blog.its really a very nice article.You have done a great job . If anyone want to get Best Selenium training institutes in Chennai, Please visit Greens Technologies located at Chennai Adyar which offer Best Selenium Training in Chennai.

    ReplyDelete
  5. Overall look document or percolate secure to secure family excellent will create sure there is no possibility of the end dropping out when you choose up a box full of crockery. You just need to organize more provides than you think for sleek appearance. Bangalore Packers and Movers
    Hyderabad Packers and Movers
    Mumbai Packers and Movers
    Pune Packers and Movers

    ReplyDelete
  6. Utilize Set of outfits Boxes: Huge bins are ideal for big and light and practical useful products such as clothing, bed linens, bed linens etc.Packers and Movers in Pune
    Packers and Movers in Delhi
    Packers and Movers in Bangalore
    Packers and Movers in Gurgaon

    ReplyDelete
  7. Thanks for sharing your ideas to our vision. It’s really useful for me. Selenium is an automation testing tool used for web applications. I did Selenium Training in Chennai at besant technologies. It’s useful for me to make a bright career in IT industry. For more details please visit our academy located at Chennai.

    ReplyDelete
  8. Thanks for your informative article on software testing. Your post helped me to understand the future and career prospects in software testing. Keep on updating your blog with such awesome article. Best software testing training institute in Chennai | Software Testing Training in Chennai | Software testing course in Chennai

    ReplyDelete
  9. Thank you for taking the time to provide us with your valuable information. We strive to provide our candidates with excellent care and we take your comments to heart.As always, we appreciate your confidence and trust in us.
    ... Selenium Training in chennai

    ReplyDelete
  10. Thanks for sharing this informative content that guided me to know the details about the training offered in different technology and has wide opportunities for exchange.
    Selenium Training in Chennai |HTML5 Training in Chennai | German Classes in Chennai

    ReplyDelete
  11. This blog explains the details about the browser google crome. This have the added facility of android developing application. that is very helpful to me. thanks for this useful information.
    VMWare Workstation Training in Chennai

    ReplyDelete
  12. one of the website templates available on the internet. going to share it with my friends so that they can get an idea of latest website designs websites design services

    ReplyDelete
  13. The war between humans, orcs and elves continues earn to die . Lead your race through a series of epic battles, using your crossbow to fend off foes and sending out units to destroy castleshappy wheels . Researching and upgrading wisely will be crucial to your success! There are 5 ages total and each one will bring you new units to train to fight in the war for you cause.
    earn to die 2
    Whatever you do, don’t neglect your home base because you cannot repair it and once it is destroyed, you lose! Age of War is the first game of the series and really sets the tone for the Age of War games . Also try out the Age of Defense series as it is pretty similar.
    In this game, you start at the cavern men’s age, then evolvetank trouble ! There is a total of 5 ages, each with its units and turrets. Take control of 16 different units and 15 different turrets to defend your base and destroy your enemy.
    The goal of the game also differs depending on the level. In most levels the goal is to reach a finish line or to collect tokens. Many levels feature alternate or nonexistent goals for the player. The game controls are shown just under gold miner. Movement mechanisms primarily include acceleration and tilting controls. cubefield
    It consists of a total of 17 levels and the challenge you face in each level increases as you go up. unfair mario The game basically has a red ball that has to be moved across the various obstacles in its path to the goal. slitherio

    ReplyDelete
  14. A good blog. Thanks for sharing the information. It is very useful for my future. keep sharing
    red ball 2 | duck life 2 | happy wheels | Red Ball | Red ball 3 | Flash Games| Tank trouble

    ReplyDelete