search

sportsboy / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Samsung SecEmailUI script injection #494

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago 
The default Samsung email client's email viewer and composer (implemented in 
SecEmailUI.apk) doesn't sanitize HTML email content for scripts before 
rendering the data inside a WebView. This allows an attacker to execute 
arbitrary JavaScript when a user views a HTML email which contains HTML script 
tags or other events.

At the very least the JavaScript could exploit the attack surface provided 
within the WebView control. It might also be possible to access local file 
content or emails depending on the full configuration of the WebView, although 
this hasn't been tested fully. 

This can also be exploited locally with the 
com.samsung.android.email.intent.action.QUICK_REPLY_BACKGROUND intent which 
will include attacker controlled HTML in the sending email. If the final 
message was viewed it would be possible for the script to extract the original 
message from the Document object and potentially post that information to 
another server.

Attached is a simple SMTP client in Python to send an HTML message with script 
contents to the device. The "me", "you", "me_password" and "smtp_server" 
variables need to be changed to ones appropriate for the sending email account 
and the receiving account on the phone. When the resulting email is viewed it 
should display the URL of the page which is of the form email://M/N where M is 
the email account ID and N is the message ID which proves that the script code 
executed.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by haw...@google.com on 29 Jul 2015 at 10:05

Attachments:

GoogleCodeExporter commented 8 years ago

Original comment by scvi...@google.com on 30 Jul 2015 at 2:12

GoogleCodeExporter commented 8 years ago 
This appears to be unfixed on G925VVRU4B0G9

Original comment by natashe...@google.com on 22 Oct 2015 at 12:43

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 23 Oct 2015 at 6:25

GoogleCodeExporter commented 8 years ago 
Fix is scheduled for November MR according to Samsung.

Original comment by natashe...@google.com on 27 Oct 2015 at 6:42

GoogleCodeExporter commented 8 years ago 
I just tested this on myself. I did get an email but all it said was email//87
Doesn't seem to have done anything at all.

Original comment by a13013.w...@gmail.com on 1 Nov 2015 at 8:21