Cordova-Android MiTM Remote Code Execution(CVE-2017-3160)

Product

• Apache Cordova

Vulnerable Version

• 6.1.1 (and below)

Technical Details

When adding an Android project for the first time: ‘cordova platform add Android’ Cordova requires Gradle (build tool) to be installed in the local development environment. If the developer had not pre-installed Gradle, the gradle-wrapper component would send a request to download the required build-tool. The problem is that the download directory is sent over HTTP, thus creating a security breach. This breach is highly exploitable and severe since the downloaded file is immediately unzipped and executed by ‘gradle-wrapper’.

The vulnerable function is under GradleBuilder.js:

GradleBuilder.prototype.prepEnv = function(opts) {
    var self = this;
    return check_reqs.check_gradle()
    [...]
        var distributionUrlRegex = /distributionUrl.*zip/;
        /*jshint -W069 */
        var distributionUrl = process.env['CORDOVA_ANDROID_GRADLE_DISTRIBUTION_URL'] || 'https\\://services.gradle.org/distributions/gradle-2.14.1-all.zip';
    [...]
};

An attacker with the ability to intercept non-encrypted traffic (MiTM), can hijack the Gradle’s download response, and provide his own file, which allows him to execute code within the developer’s computer.

Timeline

• 01-Mar-17: Added as ALEPH-2017013.
• 27-Jan-17: Public disclosure.