Chrome for Android - Bypassing SOP for Local Files By Symlinks

Type securityvulns
Reporter Securityvulns
Modified 2013-01-10T00:00:00


CVE Number: CVE-2012-4908 Title: Chrome for Android - Bypassing SOP for Local Files By Symlinks Affected Software: Confirmed on Chrome for Android v18.0.1025123 Credit: Takeshi Terada Issue Status: v18.0.1025308 was released which fixes this vulnerability

Overview: Chrome for Android's Same-Origin Policy for local files (file: URI) can be bypassed by using symbolic links. It results in theft of Chrome's private files by malicious Android apps.

Details: Chrome for Android seems to forbid a local file to read another file, except for the originating file itself.

However, it is possible to circumvent the restriction by a trick using symbolic link.

This issue enables malicious Android apps to steal Chrome's private files such as Chrome's Cookie file, bookmark file, and so on.

As an example, steps to steal Chrome's Cookie file are described below:

  1. An attacker's app creates a malicious HTML file, and makes Chrome load its URL with file: URI. The malicious HTML contains JavaScript code which, a few seconds later, tries to read the content of same URL with the malicious HTML itself via XMLHttpRequest.

    <body> <u>Wait a few seconds.</u> <script> function doitjs() { var xhr = new XMLHttpRequest; xhr.onload = function() { alert(xhr.responseText); };'GET', document.URL); xhr.send(null); } setTimeout(doitjs, 8000); </script> </body>

  2. Before XHR fires, the attacker's app replaces the malicious HTML file with a symlink pointing to Chrome's Cookie file.

  3. When XHR fires, Chrome follows the symlink and provides the content of the Chrome's Cookie file to the malicious HTML.

The attacker's app can also get the content of Chrome's other private files in a similar manner.

Proof of Concept: HTML/JavaScript is shown above. At present I do not have plans to disclose PoC of malicious Android app.

Timeline: 2012/08/19 Reported to Google security team 2012/08/25 Re-reported to Chrome security team 2012/09/12 Vender announced v18.0.1025308 2013/01/07 Disclosure of this advisory

Recommendation: Upgrade to the latest version.