Pierluigi Paganini
February 20, 2014
A bug in the Android WebView programming interface allows attackers to remotely access on most devices running the popular OS. But it does not end here, hackers could easily access handset camera and file system simply creating a specifically crafted web page, and via a Man-in-the-Middle attack attackers could deliver trojanized app update to infect the victim’s mobile. The situation is critical, nearly 70 percent of Android based handsets are vulnerable because they run Android versions prior to 4.2. The economy of an attack is to the advantage of those who offend, it is always easier for the attacker to find the tools and knowledge to compromise mobile devices. Let’s consider the above vulnerability in Android WebView programming interface, Rapid 7 recently released a new module for the Metasploit framework to “get shell” on most Android-running devices.
“This module exploits a privilege escalation issue in Android < 4.2’s WebView component that arises when untrusted Javascript code is executed by a WebView that has one or more Interfaces added to it. The untrusted Javascript code can call into the Java Reflection APIs exposed by the Interface and execute arbitrary commands. Some distributions of the Android Browser app have an addJavascriptInterface call tacked on, and thus are vulnerable to RCE. The Browser app in the Google APIs 4.1.2 release of Android is known to be vulnerable. A secondary attack vector involves the WebViews embedded inside a large number of Android applications. Ad integrations are perhaps the worst offender here. If you can MITM the WebView’s HTTP connection, or if you can get a persistent XSS into the page displayed in the WebView, then you can inject the html/js served by this module and get a shell. Note: Adding a .js to the URL will return plain javascript (no HTML markup).” reports Rapid7 in the page dedicated to the “exploit/android/browser/webview_addjavascriptinterface” module.
To secure mobile devices, carriers and manufacturers have to adopt an effective strategy to mitigate a growing number of cyber threats. As usual the interval of time between bug discovery and the release of the fix is too long, the Android WebView programming interface was identified in December 2012, but Google fixed it in November 2013 releasing the Android version 4.2.
[The flaw] “kind of a huge deal” “In a completely unsurprising twist, I did a quick survey of the phones available today on the no-contract rack at a couple big-box stores, and every one that I saw were vulnerable out of the box,” “And yes, that’s here in the U.S., not some far-away place like Moscow, Russia.” “I’m hopeful that by publishing an E-Z-2-Use Metasploit module that exploits it, we can maybe push some vendors toward ensuring that single-click vulnerabilities like this don’t last for 93+ weeks in the wild,” said Tod Beardsley, technical lead for the Metasploit Framework
In this case the end user is helpless, he can’t fix the problem and he just has to wait for the next security update. There is the concrete risk that bad actors will start to use the Metasploit module on a large scale, this scenario could have serious repercussion on the security point of view.
(Security Affairs – Android, Matasploit)
