Alert: Android WebView addJavascriptInterface Code execution Vulnerability

 Update: Trustlook has released a solution to detect this vulnerability within 12 hours of this vulnerability is reported. During the long night, we had to patch android system, changing scheduling code, re-fresh ROM system of all production devices and of course had many beers. This is fun.

A Chinese hacker, livers, from wooyun.org has reported a android remote code execution vulnerability for addJavascriptInterface method in WebView control.  In more detail addJavascriptInterface is used for interface between JS code and local Java. If your browser or other applications has implemented code like below, then you might be vulnerable. Hackers can remote run code on your android device. And they can get remote shell or even to install backdoor application on your device.

Screen Shot 2013-09-04 at 8.24.49 PM

According to this report, many android applications are confirmed vulnerable:

– QQ browser HD

Baidu browser

Qvod player

 

Following is the Javascript code allows hacker to run command on your vulnerable application.

 

Screen Shot 2013-09-04 at 8.24.39 PM

 

Here is the real exploit code that allows hacker to remotely control your device. It separates the exploit the APK file into four parts and merge them into one APK file, writing it to the sdcard on target device. Then run adb command to install the backdoor application.

 

Screen Shot 2013-09-04 at 8.20.29 PM

 

The following pictures showed you the backdoor application, androrat, has been installed in the vulnerable device.

Screen Shot 2013-09-04 at 8.20.50 PM

 

Last part is to do remote control the exploited device.

 

Screen Shot 2013-09-04 at 8.20.59 PM

 

 

During the past 12 hours, Trustlook has released a solution to detect this high risk vulnerability. Here is the POC sample try to make a bridge to call Java function from Javascript in a HTML page.

Here is the risk summary alert for application impacted by this vulnerability.

Screen Shot 2013-09-05 at 3.03.30 PM

Here is detail log that the sample try to make a Javascript to Java bridge and load the the HTML file located at android_asset/www/index.html which contains the malicious Javascript.

 

Screen Shot 2013-09-05 at 3.03.38 PM

9 thoughts on “Alert: Android WebView addJavascriptInterface Code execution Vulnerability

  1. Pingback: Prof. Eric Bodden, Ph.D. » JavaScript in Android Apps – An Attack Vector

  2. Pingback: 2 year old Android vulnerability, still affecting billion users | trustlook news

  3. Pingback: Exploit para Android, 70% de sistemas vulnerables | NOTICIAS JURIDICAS E INFORMATICA

  4. Pingback: Exploit para Android, 70% de sistemas vulnerables - Kwell – Blog de Seguridad

  5. Pingback: 利用旧版Android漏洞的E-Z-2-Use攻击代码已在Metasploit发布 | J0s1ph's Blog

  6. Pingback: 利用旧版Android漏洞的E-Z-2-Use攻击代码已在Metasploit发布 | Angel' s Blog

  7. Pingback: 利用旧版安卓漏洞的E-Z-2-Use攻击代码已在Metasploit发布 | OursGs

  8. Pingback: 利用旧版Android漏洞的E-Z-2-Use攻击代码已在Metasploit发布 - FreeBuf.COM

  9. Pingback: 旧版Android漏洞的E-Z-2-Use攻击代码发布 | 扯蛋

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s