Google Chrome for Android: UXSS Vulnerability and Credential Disclosure

So, let's begin. In July 2011, Roee Hay and Yair Amit of the IBM Research Group discovered a UXSS vulnerability in the default Android browser. This error allows a malicious application to inject JavaScript code into the context of an arbitrary domain and capture cookies or perform other malicious actions. This vulnerability was fixed in Android 2.3.5.

On June 21, 2012, Google Chrome was released for Android. I could find very interesting errors in it. Take a look for yourself.

UXSS Vulnerability

As expected, this vulnerability does not affect the “Main” Chrome activity. However, let's look at the AndroidManifest.xml file from Chrome .apk .



Obviously, the com.google.android.apps.chrome.SimpleChromeActivity class can be called from another application if a directive is declared in it.

Decompile classes.dex from apk and take a look at the SimpleChromeActivity class .



In the onCreate method presented above, you will notice that the new URL will be loaded in the current, not the new tab.

There are two ways to trigger this activity: via the Android API or Activity Manager. The call from the Android API is a bit complicated, so I used the “am” command from the adb shell.

shell@android:/ $ am start -n com.android.chrome/com.google.android.apps.chrome.SimpleChromeActivity -d 'http://www.google.ru'

It seems to me that this problem with displaying content is not related to security. Judging by the title, Chrome uploaded www.google.com to SimpleChromeActivity instead of Main , and this activity has access to the Cookies database in Chrome. The next step will be the implementation of JavaScript code.

shell@android:/ $ am start -n com.android.chrome/com.google.android.apps.chrome.SimpleChromeActivity -d 'javascript:alert(document.cookie)' 

That's all, JavaScript was executed in the context of the www.google.com domain .

Credential Disclosure

Another issue — automatic file uploads — became a real headache for browsers like Chrome. If you opened the binary in the Chrome browser, it will be downloaded to the SDCard directory without your confirmation. The same thing happened in a standard browser, in which such an option was used by the malicious software NonCompatible . You may ask how this relates to credential disclosure. Take a look at the Chrome directory on the system.



Only the Chrome app can read these files (such as Cookies, History, etc.). It looks safe. Try launching Chrome using file: // wrapper and opening the cookie.

shell@android:/ $ am start -n com.android.chrome/com.android.chrome.Main -d 'file:///data/data/com.android.chrome/app_chrome/Default/Cookies'

After launching the browser, Cookies will be downloaded / copied to /sdcard/Downloads/Cookies.bin , and any application in the system will be able to read them.

I provided detailed information to the Chromium security team, and these errors were fixed in version 18.0.1025308.

Links:
http://code.google.com/p/chromium/issues/detail?id=138035
http://code.google.com/p/chromium/issues/detail?id=138210

Author: Artem Chaykin ( artemchaykin )