Metasploit: Major Android Bug is a Privacy Disaster (CVE-2014-6041)

[Builder]

I'm going to put some effort into this one. Here's the link: https://community.rapid7.com/community/metasploit/blog/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041
 
Sorry if it's a repost, the search function is not working for me at the moment.

 

 

On the night of September 7, 2014, Joe Vennix of Rapid7's Metasploit Products team wrote, "I did not believe this at first, but after some testing it seems true: in AOSP browser before Android 4.4, you can load javascript into any arbitrary frame or window [...]" and provided a Metasploit module to exploit this condition. After some of the usual testing and confirmation of the vulnerability, this module is available in all versions of Metasploit.

So in the AOSP browser pre Kit Kat, you can load JavaScript arbitrarily to any frame or window. Sounds like a dangerous opportunity for drive-by attacks.

 

The vulnerability that Joe didn't believe is CVE-2014-6041, and was disclosed on September 1, 2014 by Rafay Baloch on his blog, Rafay Hacking Articles. By malforming a javascript: URL handler with a prepended null byte, an attacker can avoid the Android Open Source Platform (AOSP) Browser's Same-Origin Policy (SOP) browser security control.

You can circumvent their Same-Origin control by using a JavaScript URL handler with an extra null byte added to the beginning of it.

 

What this means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page. Imagine you went to an attackers site while you had your webmail open in another window -- the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.

Oh dear. So you can use the above exploit to load JavaScript that captures (scrapes) data from other frames and windows in the browser. Beyond that, an attacker can copy the session cookie and use it to hijack your browsing session in the AOSP browser.

 

This is a privacy disaster. The Same-Origin Policy is the cornerstone of web privacy, and is a critical set of components for web browser security. Oh, and it gets worse.

Disaster indeed. Wait, it gets worse?

 

When this vulnerability was announced by Balcoh, it was met with... total silence. There has been no acknowledgement of the bug from Google, as far as we can tell. There's no listing of this bug on CVEDetail's readout of Android issues, and no chatter (we could find) in the Android security community about this bug.

So nobody cares about it...not Google, not AOSP community developers. How's that for the power of open source development?

 

Research and testing is still ongoing to plumb the depths of this issue. We'd like to pin down exactly when the bug was fixed, and to determine just how widespread this vector really is. After all, pre-4.4 builds of Android account for about 75% of the total Android ecosystem today.

They still don't know when and how it was fixed, but the bug affects 75% of the total Android ecosystem, or around 750,000,000 devices. You read that right.

 

More importantly, 4.2 (Jellybean) and prior phones account for nearly 100% of off-the-shelf, lower-end prepaid phones from major manufacturers and carriers. They still ship the unsupported AOSP browser. These are the kinds of phones that account for a huge chunk of total market share, and yet are still vulnerable to this bug and the WebView addJavascriptInterface vulnerability.

The lowest end Android devices that claim the majority of Android's massive market share are nearly all vulnerable to this security issue.

 

While the AOSP has "been killed off" by Google, it is wildly popular, even on modern devices used by sophisticated users who prefer the stock browser over Google Chrome, Firefox, Dolphin, or other browsers. A quick search for "AOSP browser" turns up page after page of instructions and HOWTOs on re-installing this defunct, unsupported-by-Google software. Among the top pages, I could find absolutely no mention of security concerns in reinstalling the original stock browser.

So it seems that this is getting ignored because the AOSP browser is considered dead. Even though 750,000,000 devices are vulnerable.

 

The article does not end there but the last paragraph is the author talking about how he's going to demo the exploit later on in the week. 

 

I'm not going to turn this into a "bash the 'droid" post but I have to say this is a very sorry showing from both Google and the AOSP. The fact that a bug like this happened in the first place is kind of appalling but even beyond that the fact that it's been wholesale ignored is even more concerning. 

[TheSLSAMG]

Isn't the AOSP browser the one that (on devices) is simply called "Broswer"?

[AlwaysFSX]

In case the search function doesn't work you can use Google and type "site linustechtips.com (keywords of your search)" to get results.

[Levent]

Isn't the AOSP browser the one that (on devices) is simply called "Broswer"?

yup com.android.browser

[BallGum]

I wish Google hadnt completely dropped the AOSP stuff. However I guess I'm not too worried even with a 4.1 jellybean device, since I use chrome, which, thankfully, is being updated. I'm sure not everyone using pre KitKat devices are still using the stock browser anyway.

Also, practice what you preach @Builder : D

[qwertywarrior]

ohh crap

im actually using a hacked version of AOSP so it would work on my nexus 5

 

the only reason im using it

is because its the only browser ive found that has the

double tap drag zoom function

 

 

also why not just use a different browser

 

the aosp brower (before it was killed) wasnt an app on the playstore

it only gets updated after a new android update

 

its a million times easier for google and everyone else to just use a different browser

[Builder]

In case the search function doesn't work you can use Google and type "site linustechtips.com (keywords of your search)" to get results.

Thanks! I'll remember that for the future. I am primarily a DuckDuckGo user though.

 

Also, practice what you preach @Builder : D

?

 

its a million times easier for google and everyone else to just use a different browser

It shouldn't be the consumer's job to make a business's job easier. And if it has to be, the business has to make it easy and painless to the point where both sides are neutral about the ordeal.

 

It's obviously easier for Google if everyone just switched browsers, (which is what they should do anyways) but it doesn't and shouldn't absolve them of blame to actually fix this.

[AlwaysFSX]

Thanks! I'll remember that for the future. I am primarily a DuckDuckGo user though.

Should work the same I believe.

[Builder]

Should work the same I believe.

Nope. Just tried.

[qwertywarrior]

 

 

It shouldn't be the consumer's job to make a business's job easier. And if it has to be, the business has to make it easy and painless to the point where both sides are neutral about the ordeal.

it got easy and painless when google said that (if i recall correctly) in android 5.0 security updates will be pushed via the play store and an android version update will not be necessary anymore

 

it was already hell (because of the ISP and/or Vendor side) to push any updates

this is an impossible task on older unsupported phones

 

i believe u need root permission just to delete the damn thing

[AlwaysFSX]

Nope. Just tried.

Darn.

[Builder]

it was already hell (because of the ISP and/or Vendor side) to push any updates

this is an impossible task on older unsupported phones

Exactly. It's a big problem now.

[BallGum]

I'm going to put some effort into this one. Here's the link: https://community.rapid7.com/community/metasploit/blog/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041

Sorry if it's a repost, the search function is not working for me at the moment.

So in the AOSP browser pre Kit Kat, you can load JavaScript arbitrarily to any frame or window. Sounds like a dangerous opportunity for drive-by attacks.

You can circumvent their Same-Origin control by using a JavaScript URL handler with an extra null byte added to the beginning of it.

Oh dear. So you can use the above exploit to load JavaScript that captures (scrapes) data from other frames and windows in the browser. Beyond that, an attacker can copy the session cookie and use it to hijack your browsing session in the AOSP browser.

Disaster indeed. Wait, it gets worse?

So nobody cares about it...not Google, not AOSP community developers. How's that for the power of open source development?

They still don't know when and how it was fixed, but the bug affects 75% of the total Android ecosystem, or around 750,000,000 devices. You read that right.

The lowest end Android devices that claim the majority of Android's massive market share are nearly all vulnerable to this security issue.

So it seems that this is getting ignored because the AOSP browser is considered dead. Even though 750,000,000 devices are vulnerable.

The article does not end there but the last paragraph is the author talking about how he's going to demo the exploit later on in the week.

I'm not going to turn this into a "bash the 'droid" post but I have to say this is a very sorry showing from both Google and the AOSP. The fact that a bug like this happened in the first place is kind of appalling but even beyond that the fact that it's been wholesale ignored is even more concerning.

You complain heavily of most of the forum tending toward a negative slant on Apple, but your own post about Android seemed rather smug and sarcastic as well.

I'm not bothered by that at all, really. It's just that you'd complain if someone else did this yet you did it yourself

[JcGross]

Good thing I don't have AOSP then.

Edit: Hey, whaddya kno'? It's my lucky 500th post.

[Guest]

Oh well, I use Chrome and have Kitkat anyway.

[AlexGoesHigh]

it got easy and painless when google said that (if i recall correctly) in android 5.0 security updates will be pushed via the play store and an android version update will not be necessary anymore

 

it was already hell (because of the ISP and/or Vendor side) to push any updates

this is an impossible task on older unsupported phones

 

i believe u need root permission just to delete the damn thing

about bloody time google figured a way to update android directly from them without the need of OEM's and carriers

 

about the OP well that really sucks at least chrome works on 4.0 and up, FF 2.3 and and even opera apparently works way back to 1.5 lol, also IMO the stock browser was kinda shitty anyways

https://play.google.com/store/apps/details?id=com.android.chrome

https://play.google.com/store/apps/details?id=com.opera.mini.android

https://play.google.com/store/apps/details?id=org.mozilla.firefox

[LAwLz]

Two things to consider before freaking out.

1) This is the AOSP browser. I don't have any numbers on however many people use that, but it is not the browser called "Internet" you find on for example Samsung phones. I am not sure if Samsung's browser is based on the AOSP one though, and if it is the same exploit might work (although the browsers OEMs use are usually pretty heavily modified, including the JS engine to take better advantage of the specific SoC).

2) The AOSP browser is no longer supported by Google.

 

I don't think it's worth getting pissed at Google for not releasing a security update. If you're going to blame anyone for not releasing updates then blame the OEMs still shipping, and refusing to upgrade, outdated software.

What people should be pissed about is that Google don't want to acknowledge it. Security issues don't go away by ignoring them. They go away by fixing them (with a patch) or informing people about it and recommending other software. For example Google could make a post about this vulnerability, inform users that the browser is no longer supported and that they should instead use Chrome. But nope, they are staying silent and people are finding ways to install the AOSP browser, leading to more people becoming vulnerable.

[Builder]

You complain heavily of most of the forum tending toward a negative slant on Apple, but your own post about Android seemed rather smug and sarcastic as well.

I'm not bothered by that at all, really. It's just that you'd complain if someone else did this yet you did it yourself

What?

 

This is an enormous problem...I called Apple out for their "private security" deal when the iCloud thing happened, even though it's not clear they could have prevented it.

 

I don't think it's worth getting pissed at Google for not releasing a security update. If you're going to blame anyone for not releasing updates then blame the OEMs still shipping, and refusing to upgrade, outdated software.

I think we should blame Google for allowing the OEMs to shove their software around in the first place. I realize it's open source but really nobody compiles Android from the AOSP source these days if they ever did and they could easily license it to manufacturers without letting them screw with their carefully designed interface and update system.

 

Google is a software company, they're better at software than almost anyone else on the face of the planet. This fact is oft neglected because all of the effort they put into Android is largely nullified by no hard set of system requirements, no way of enforcing that hard set, and a general laissez-faire attitude towards how their stuff gets used. I agree with you, their stuff is unfairly hated upon because of the image OEMs give to the Google brand by cluttering up Android with shit. They aren't powerless though.

[BallGum]

What?

This is an enormous problem...I called Apple out for their "private security" deal when the iCloud thing happened, even though it's not clear they could have prevented it.

I think we should blame Google for allowing the OEMs to shove their software around in the first place. I realize it's open source but really nobody compiles Android from the AOSP source these days if they ever did and they could easily license it to manufacturers without letting them screw with their carefully designed interface and update system.

Google is a software company, they're better at software than almost anyone else on the face of the planet. This fact is oft neglected because all of the effort they put into Android is largely nullified by no hard set of system requirements, no way of enforcing that hard set, and a general laissez-faire attitude towards how their stuff gets used. I agree with you, their stuff is unfairly hated upon because of the image OEMs give to the Google brand by cluttering up Android with shit. They aren't powerless though.

Google is steadily taking steps to alleviate a lot of the problems. A lot of the security updates get pushed out via the play services app, since 4.0. Additionally, they're bringing stock apps to the play store and updating those through there. This is also the reason why the stopped caring for AOSP, as their work would just be exploited.

[Builder]

This is also the reason why the stopped caring for AOSP, as their work would just be exploited.

So when your platform is bugged to holy hell you just stop working on it?

 

That's quite a cavalier suggestion to make.

[LAwLz]

So when your platform is bugged to holy hell you just stop working on it?

 

That's quite a cavalier suggestion to make.

If you've developed a new product which do not have the same issues and give it away for free then sure.

Do you blame Apple for not releasing security patches for older versions of iOS after they release a new one (for example if an exploit in iOS 5 was found, would you blame them for not fixing it)? You also have to assume that every single iPhone could always run the latest version of the OS to make it a fair analogy. So when iOS 8 comes out, would you blame Apple for not releasing an iOS 7 version with security improvements for the iPhone 5S, in case you got an iPhone 5S but don't want to use iOS 8?

I think it's really bad to not even acknowledge the security issues, but I don't think they deserve any crap for not fixing it. They have released a new product for free which people can use, and they won't patch the old version which they have dropped support for.

[ShadowCaptain]

I think it's really bad to not even acknowledge the security issues, but I don't think they deserve any crap for not fixing it. They have released a new product for free which people can use, and they won't patch the old version which they have dropped support for.

 

I guess this begs the question, who is to blame 

 

Google for not doing it? Or people, for not upgrading. Its like Microsoft dropping windows XP and not providing security updates... its just what happens when software support ends, and people cling to it.

 

I suppose that is the risk you run, using outdated unsupported devices/software

 

(IMO nobody is to blame its just one of those things)

[StingBull]

As far as I know Google stopped developing AOSP browser and just made Chrome the default browser. Part of Google's strategy to turn Android into their propriety OS from the open source OS is was.

 

The news already talks about old devices (pre-KitKat) but even with those there is a caveat. Most OEMs did not even include the AOSP browser. Not only they modified it even when they included it but, for example Samsung, stopped including it with their S4. If you compare S3 and S4 both will have a browser simply called "Internet" but they are different. S3 one is a little modified but is based on AOSP browser whereas S4 one is based on Chromium and is basically Samsung's doing.

[BallGum]

So when your platform is bugged to holy hell you just stop working on it?

That's quite a cavalier suggestion to make.

No. They're working on their own stuff that can't just continually be changed and exploited by others.

Technically they're continuing to work on it, it's just closed source now.

It's quite likely that most of the versions of that browser where modified by OEMs; in which case I would say the blame would lie on them for not updating the browsers for their old phones.

[BallGum]

I guess this begs the question, who is to blame

Google for not doing it? Or people, for not upgrading. Its like Microsoft dropping windows XP and not providing security updates... its just what happens when software support ends, and people cling to it.

I suppose that is the risk you run, using outdated unsupported devices/software

(IMO nobody is to blame its just one of those things)

It's just a mess. Google could be blamed for not fixing it in earlier versions of the AOSP browser; OEMs can be blamed for not updating old devices / selling new devices with old software.

I don't blame Google's current stance at all though. The AOSP is dead, and even if they patched this, what would happen?