New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Android < 4.2 WebView addJavascriptInterface RCE #2942
Conversation
Great! Testing! |
Hey, @jvennix-r7. Could you link to the specific SDK version? |
@wvu-r7 sorry my steps are a little brief. Download the latest sdk, run |
Ah, I didn't install the packages. Thanks! Android n00b here. :) |
Hey @joev-r7, this looks to me that this affects in the neighborhood of 70% Am I reading this right? http://m.androidcentral.com/android-4x-now-786-active-devices-kitkat-still-under-2 If so, this is kinda huge. |
It's not just Android devices < 4.2, apps built with sdk version < 4.2 are still vulnerable on Android 4.4.2 You can verify with Baidu 2.1.0.0 on > 4.2 device.
|
@todb it affects <4.2 WebView components (including, I believe, "patched" apps recompiled post 4.2 still running on <4.2 devices). I have no idea how many distributions include a vulnerable Browser app. |
@timwr okay wow, so even on latest android this affects all apps with WebViews that were never recompiled with sdk version >= 4.2 |
Works beautifully!
|
Browser Autopwn:
|
Code looks great, btw. |
Looks good to me. Thanks for following up on this one. I hadn't considered trying it as a straight HTTP module because I was going after the advertising network SDK stuff =) In hindsight a browser module makes more sense anyway since you can use Karmetasploit, DNS hijacking, DNS spoofing, ARP spoofing, etc to get your victims to visit you too =) <3 |
PS. It doesn't seem to work against my google glass .. |
@jvennix-r7 Please use the browser exploit server mixin and set the requirement to android, thanks. |
@wchen-r7 I would like to, but another attack vector for this is injecting the statically-served JS into a webview Component (from mitm position), and browser exploit server kinda subverts this with its detection probe. |
thinking on it more, I should be able to override BrowserExploitServer's onurirequest and divert the requests for the js file |
If you insist we can land w/ what we have now, not using the mixin isn't a blocker but it's just highly preferred. Let us know what you wanna do. |
@wchen-r7 adding it now |
Hey @jvennix-r7 just for next time can you make sure you refer to jduck as @jduck so he'll get alerted when the PR comes up? It's always nice to have @jduck's eyeballs attuned to whatever Android hotness we have coming up. |
Landing! |
Also, thanks to @jduck for testing!
Dear vendors, please up-rev your Androids (and recompile your apps). Signed, The Internet |
I agree with @todb-r7. This issue needs a lot more attention from the good guys since the bad guys are likely using it in Sochi !@#!# PS. Found my embarrassing mistake and confirmed code execution works on my Google Glass XE12 too. |
@jduck: Thanks for the update! Yeah, this is some serious (and awesome) stuff. :) |
but hey... that will only pwn >70% of all Android devices O_o |
@rsanz88 Not reproducing the issue atm. Do you see any other errors? Like maybe a " uninitialized constant" or something? |
@rsanz88 please turn your attention to the top four lined of the file. This You can download the Metasploit framework at http://metasploit.com/download. |
Thanks for posting this. It worked without a hitch on my 4.1.2 emulator. I had no success with other emulators at API levels less than 4.1.2 (tried 4.0.3, and 2.3.3). I also tried on a Samsung running 4.1.2 (both default browser and chrome) without success. Is there a definitive way to check for the vulnerability other than running this script? Is there an easy way to figure out which apps are vulnerable? I know a good starting point is if an app can natively display a web page/html, but not all those apps will support javascript (for example I don't think any of the base email apps enable javascript support). thanks. |
You can use http://www.droidsec.org/tests/addjsif/ to do a quick test. |
Thanks! I got basically the same results; the only difference was that my 4.0.3 emulator reported vulnerable vs having the browser app crash with the ms script. None of the browsers on the physical devices I tested reported as vulnerable (most were 4.1.2 or older). |
I'm attempting to run this module on a physical device (not an emulator). The specs meet the requirements. It's outfitted with WebView/WebKit, running 2.3 and JavaScript is enabled, but I keep receiving the following error (even when trying out different payloads): webview_addjavascriptinterface - Exception handling request: undefined method `[]=' for nil:NilClass Help? |
Devices < 3.x and >= 4.2 are not affected by the browser issue. See http://www.droidsec.org/news/2014/02/26/on-the-webview-addjsif-saga.html |
I'm now attempting to pop a reverse shell on a device running 4.1.1, but I'm still receiving zero output after the exploit HTML is being served to the device. I've tried every possible payload with no noticeable results. |
@TheBananaStand See @jduck's link above -- you may be running into a mitigation by the phone manufacturer or carrier. |
That was my initial thought, but after working on resolving the issue for a while longer, I was able to successfully get a Linux shell using the TCP bind payloads. For some reason though, I'm unable to interact with them appropriately (similar to a meterpreter shell) and I'm still unable to pop a shell using a reverse TCP payload. I've tried testing the functionality by creating a malicious APK that contains a reverse TCP shell (via msfpayload) and installing it directly onto the device in order to connect back to my machine, but that has failed as well. Maybe there is a security mechanism preventing these callback connections from establishing. |
@TheBananaStand can you give an update on any progress? I have the same result. I have an older device running 4.03 as well as a virtual Android 4.0.3 device running, and both do not properly respond I expect for this exploit. Metasploit console returns that a new session is started for each device, but any commands passed do not work. I cannot get it to return any response, either. Any ideas? Perhaps you can comment further on the success you had with "TCP bind payloads" ? |
The bottom line is that reverse TCP shell payloads are not being delivered correctly. The only payload that seems to be working are TCP bind shells. However, when the exploit succeeds and a session is spawned, the interaction with that session is minimal and essentially useless, as seen below: msf exploit(webview_addjavascriptinterface) > sessions -i 1 ls |
@TheBananaStand, use You can also try the branch here: #3086 Which will add android meterpreter support and uses a different stager. |
|
Thanks @jvennix-r7 - that's what I need to get the shell to respond. Has anyone figured out a root exploit that could be done on 4.x devices using the shell generated? It seems to me that there are a lot of commands that couldn't be executed with this shell. (example - am and pm command don't respond. neither do setprop or getprop) |
@chrisdavis925 you can drop and run this https://github.com/android-rooting-tools/android_run_root_shell binary to get root on a lot of devices, and then, for example, upgrade to meterpreter with this script: |
Wow, yeah that is totally crazy. I am going to try this out tonight and report back if I was able to get this to work. I tried other android root binary exploits but they didn't work, so I'll see if the one you linked does. Can you confirm that the expected result after executing the android_run_root binary on the target device is that the shell that is already opened by the WebView addJavascriptInterface will automatically elevate to root? |
Hello, But if i don't understand that: With the command ls i get the directory of my android tablet. Thats ok. But how to start adb? I have opened a session with the browser autopwn .... Thanks and best regards |
hi @tompom1 -- this isn't really a support forum. It's a development forum You would be better off with your question directed at, say, #droidsec on On Sun, May 11, 2014 at 1:05 PM, tompom1 notifications@github.com wrote:
"Tod Beardsley" todb@packetfu.com | 512-438-9165 | @todb |
Hello at Freenode IRC i get no answer??? Perhaps you can help me again. I use KALI Linux and an Android 4.1.2 Tablet for my test. I want to install an App like this: At Kali Linux i use the exploit webview_addjavascriptinterface and get a response from my tablet (same WLAN). msf exploit(webview_addjavascriptinterface) > sessions -i 1 I want to copy some pictures to my KALI system but there is the problem: Or i want to run adb (no device!)
Can someone help or explain me how to do this? |
You are opening a network shell but then expecting to have local shell You don't need an exploit if you just intend to use normal local shell The android devices I've used this exploit on have curl available, so I use |
I was rewiring jduck's module for a side-channel attack on embedded Android WebView components, then noticed this actually gets you a shell on some versions of Android's Browser. So hooray, we now have an android browser exploit. Since it is easy to detect the presence of this vuln from JS code, I added it to browser_autopwn as well. A few other Android third party browsers were also vulnerable (notably baidu and QQ browsers: http://blog.trustlook.com/2013/09/04/alert-android-webview-addjavascriptinterface-code-execution-vulnerability/)