Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormTakeshi TeradaPACKETSTORM:119303
HistoryJan 08, 2013 - 12:00 a.m.

Chrome For Android Bypassing SOP Flaw

2013-01-0800:00:00
Takeshi Terada
packetstormsecurity.com
26

0.006 Low

EPSS

Percentile

75.9%

JSON
`CVE Number: CVE-2012-4908  
Title: Chrome for Android - Bypassing SOP for Local Files By Symlinks  
Affected Software: Confirmed on Chrome for Android v18.0.1025123  
Credit: Takeshi Terada  
Issue Status: v18.0.1025308 was released which fixes this vulnerability  
  
Overview:  
Chrome for Android's Same-Origin Policy for local files (file: URI) can be  
bypassed by using symbolic links. It results in theft of Chrome's private  
files by malicious Android apps.  
  
Details:  
Chrome for Android seems to forbid a local file to read another file,  
except for the originating file itself.  
  
http://code.google.com/p/chromium/issues/detail?id=37586  
  
However, it is possible to circumvent the restriction by a trick using  
symbolic link.  
  
This issue enables malicious Android apps to steal Chrome's private  
files such as Chrome's Cookie file, bookmark file, and so on.  
  
As an example, steps to steal Chrome's Cookie file are described below:  
  
1. An attacker's app creates a malicious HTML file, and makes Chrome load  
its URL with file: URI. The malicious HTML contains JavaScript code  
which, a few seconds later, tries to read the content of same URL with  
the malicious HTML itself via XMLHttpRequest.  
  
<body>  
<u>Wait a few seconds.</u>  
<script>  
function doitjs() {  
var xhr = new XMLHttpRequest;  
xhr.onload = function() {  
alert(xhr.responseText);  
};  
xhr.open('GET', document.URL);  
xhr.send(null);  
}  
setTimeout(doitjs, 8000);  
</script>  
</body>  
  
2. Before XHR fires, the attacker's app replaces the malicious  
HTML file with a symlink pointing to Chrome's Cookie file.  
  
3. When XHR fires, Chrome follows the symlink and provides the  
content of the Chrome's Cookie file to the malicious HTML.  
  
The attacker's app can also get the content of Chrome's other private  
files in a similar manner.  
  
Proof of Concept:  
HTML/JavaScript is shown above. At present I do not have plans to disclose  
PoC of malicious Android app.  
  
Timeline:  
2012/08/19 Reported to Google security team  
2012/08/25 Re-reported to Chrome security team  
2012/09/12 Vender announced v18.0.1025308  
2013/01/07 Disclosure of this advisory  
  
Recommendation:  
Upgrade to the latest version.  
  
Reference:  
http://googlechromereleases.blogspot.jp/2012/09/chrome-for-android-update.html  
https://code.google.com/p/chromium/issues/detail?id=144866  
`

Related

debiancve 1
ubuntucve 1
securityvulns 2
prion 1
cve 1
debiancve
debiancve
CVE-2012-4908
2012-09-13 20:55:00
ubuntucve
ubuntucve
CVE-2012-4908
2012-09-13 00:00:00
securityvulns
securityvulns
Chrome for Android - Bypassing SOP for Local Files By Symlinks
2013-01-10 00:00:00
Google Chrome for Android multiple security vulnerabilities
2013-01-10 00:00:00
prion
prion
Design/Logic Flaw
2012-09-13 20:55:00
cve
cve
CVE-2012-4908
2012-09-13 20:55:00

0.006 Low

EPSS

Percentile

75.9%

JSON
Related for PACKETSTORM:119303
debiancve1ubuntucve1securityvulns2prion1cve1