Alert: Android WebView addJavascriptInterface Code execution Vulnerability

 Update: Trustlook has released a solution to detect this vulnerability within 12 hours of this vulnerability is reported. During the long night, we had to patch android system, changing scheduling code, re-fresh ROM system of all production devices and of course had many beers. This is fun.

A Chinese hacker, livers, from wooyun.org has reported a android remote code execution vulnerability for addJavascriptInterface method in WebView control.  In more detail addJavascriptInterface is used for interface between JS code and local Java. If your browser or other applications has implemented code like below, then you might be vulnerable. Hackers can remote run code on your android device. And they can get remote shell or even to install backdoor application on your device.

Screen Shot 2013-09-04 at 8.24.49 PM

According to this report, many android applications are confirmed vulnerable:

– QQ browser HD

Baidu browser

Qvod player

 

Following is the Javascript code allows hacker to run command on your vulnerable application.

 

Screen Shot 2013-09-04 at 8.24.39 PM

 

Here is the real exploit code that allows hacker to remotely control your device. It separates the exploit the APK file into four parts and merge them into one APK file, writing it to the sdcard on target device. Then run adb command to install the backdoor application.

 

Screen Shot 2013-09-04 at 8.20.29 PM

 

The following pictures showed you the backdoor application, androrat, has been installed in the vulnerable device.

Screen Shot 2013-09-04 at 8.20.50 PM

 

Last part is to do remote control the exploited device.

 

Screen Shot 2013-09-04 at 8.20.59 PM

 

 

During the past 12 hours, Trustlook has released a solution to detect this high risk vulnerability. Here is the POC sample try to make a bridge to call Java function from Javascript in a HTML page.

Here is the risk summary alert for application impacted by this vulnerability.

Screen Shot 2013-09-05 at 3.03.30 PM

Here is detail log that the sample try to make a Javascript to Java bridge and load the the HTML file located at android_asset/www/index.html which contains the malicious Javascript.

 

Screen Shot 2013-09-05 at 3.03.38 PM