Lucene search

K
saintSAINT CorporationSAINT:272FB46381BC5CCF9A89795A555989C5
HistoryFeb 11, 2014 - 12:00 a.m.

Android WebView addJavascriptInterface Arbitrary Java Method Access

2014-02-1100:00:00
SAINT Corporation
download.saintcorporation.com
15

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

AI Score

6.7

Confidence

Low

EPSS

0.038

Percentile

92.0%

Added: 02/11/2014
CVE: CVE-2013-4710
OSVDB: 97520

Background

Android is a Linux-based operating system used primarily on touchscreen mobile devices such as smartphones and tablet computers. It was originally developed by Android Inc., but is now owned by Google. WebView is a sub-class of the Android View API which allows an application developer to load a web page as part of a client application.

Problem

The **addJavascriptInterface** method of WebView exposes a supplied Java object from within WebView to JavaScript. WebView with an API level less than 17 allows all public methods to be accessed, so that it is possible to use **addJavascriptInterface** to call any unregistered Java class and thereby execute commands remotely in the context of the running application.

Resolution

Applications developed for Android 4.2 (API level 17) and above are not vulnerable. Users who cannot upgrade their Android version should remove all applications that embed advertisements or ensure that they do not connect to untrusted networks while using applications with embedded advertisements.

References

http://jvn.jp/en/jp/JVN53768697/
https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/
http://blogs.avg.com/mobile/analyzing-android-webview-exploit/

Limitations

The user must run a vulnerable application which loads a specially crafted page.

Platforms

Android

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

AI Score

6.7

Confidence

Low

EPSS

0.038

Percentile

92.0%