Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 8 Feb 2014 00:47:05 -0600
From: "Joshua J. Drake" <oss-sec-addjsif@...p.org>
To: oss-security@...ts.openwall.com
Cc: djorm@...hat.com, cve-assign@...re.org
Subject: Re: CVEs for Android addJavascriptInterface issues (was: multiple
 issues in Apache Cordova/PhoneGap)

Hello,

I apologize for hijacking the thread, but it seemed prudent to reply
inline with the relevant facts close by. 

On Fri, Feb 07, 2014 at 12:49:00PM -0500, cve-assign@...re.org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> > Multiple issues have been reported in Apache Cordova:
> > 
> > http://packetstormsecurity.com/files/124954/apachecordovaphonegap-bypass.txt
> 
> We have been looking at this report, and have this initial response.

[..snip..]

> Page 5 of the NDSS paper says:
> 
> > On Android prior to API level 17, these interfaces are generically
> > insecure. Malicious JavaScript executing inside WebView can use the
> > Java reflection API to invoke any method of any Java object exposed
> > via 'addJavascriptInterface' and take control over the local side of
> > the application
> 
> This Android vulnerability is CVE-2012-6636. The available information
> about the point of original disclosure is
> http://50.56.33.56/blog/?p=314 and we don't happen to know if the
> researcher has a personal domain name for 50.56.33.56 that should be
> used instead.
>
> In this p=314 post, the researcher says "Prior to Android 4.2, if an
> application uses the addJavascriptInterface and allows an attacker to
> control the content rendered in a WebView, then an attacker can take
> control over the parent application regardless of the type of
> interface exposed." This seems to be a different finding than in the
> referenced
> http://www.cis.syr.edu/~wedu/Research/paper/webview_acsac2011.pdf
> paper. (Yes, webview_acsac2011.pdf can have CVE-2011-#### ID
> assignments but we are not working on that at the moment.)

Is the intent here to assign CVE-2012-6636 to all issues rooted in
reliance on an incorrectly exposed Javascript bridge?

If so, please keep in mind that this issue is not as simple as
pointing at Android itself. If a vulnerable app is compiled against a
vulnerable API level of the SDK (even today) it would be vulnerable.
At least that is my current understanding. As such, additional
assignments on a per-app or per-ad-network-SDK may be necessary due to
these exposure lifetime complications.

You may have seen recently released Metasploit module that allows a
remote compromise of the Google Glass browser using an incorrectly
exposed Javascript bridge via the "searchBoxJavaBridge_" object. This
exposes an instance of android.webkit.SearchBoxImpl in older versions
of the Android browser.

If this issue should have the same CVE assignment, please ack.
Otherwise, please assign a new CVE.

Joshua J. Drake
http://www.droidsec.org/

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ