oss-sec mailing list archives
Re: CVEs for Android addJavascriptInterface issues (was: multiple issues in Apache Cordova/PhoneGap)
From: "Joshua J. Drake" <oss-sec-addjsif () qoop org>
Date: Sat, 8 Feb 2014 00:47:05 -0600
Hello, I apologize for hijacking the thread, but it seemed prudent to reply inline with the relevant facts close by. On Fri, Feb 07, 2014 at 12:49:00PM -0500, cve-assign () mitre org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1Multiple issues have been reported in Apache Cordova: http://packetstormsecurity.com/files/124954/apachecordovaphonegap-bypass.txtWe have been looking at this report, and have this initial response.
[..snip..]
Page 5 of the NDSS paper says:On Android prior to API level 17, these interfaces are generically insecure. Malicious JavaScript executing inside WebView can use the Java reflection API to invoke any method of any Java object exposed via 'addJavascriptInterface' and take control over the local side of the applicationThis Android vulnerability is CVE-2012-6636. The available information about the point of original disclosure is http://50.56.33.56/blog/?p=314 and we don't happen to know if the researcher has a personal domain name for 50.56.33.56 that should be used instead. In this p=314 post, the researcher says "Prior to Android 4.2, if an application uses the addJavascriptInterface and allows an attacker to control the content rendered in a WebView, then an attacker can take control over the parent application regardless of the type of interface exposed." This seems to be a different finding than in the referenced http://www.cis.syr.edu/~wedu/Research/paper/webview_acsac2011.pdf paper. (Yes, webview_acsac2011.pdf can have CVE-2011-#### ID assignments but we are not working on that at the moment.)
Is the intent here to assign CVE-2012-6636 to all issues rooted in reliance on an incorrectly exposed Javascript bridge? If so, please keep in mind that this issue is not as simple as pointing at Android itself. If a vulnerable app is compiled against a vulnerable API level of the SDK (even today) it would be vulnerable. At least that is my current understanding. As such, additional assignments on a per-app or per-ad-network-SDK may be necessary due to these exposure lifetime complications. You may have seen recently released Metasploit module that allows a remote compromise of the Google Glass browser using an incorrectly exposed Javascript bridge via the "searchBoxJavaBridge_" object. This exposes an instance of android.webkit.SearchBoxImpl in older versions of the Android browser. If this issue should have the same CVE assignment, please ack. Otherwise, please assign a new CVE. Joshua J. Drake http://www.droidsec.org/
Attachment:
signature.asc
Description: Digital signature
Current thread:
- CVE request: multiple issues in Apache Cordova/PhoneGap David Jorm (Feb 02)
- Re: CVE request: multiple issues in Apache Cordova/PhoneGap cve-assign (Feb 07)
- Re: CVEs for Android addJavascriptInterface issues (was: multiple issues in Apache Cordova/PhoneGap) Joshua J. Drake (Feb 07)
- Re: CVE request: multiple issues in Apache Cordova/PhoneGap cve-assign (Feb 07)