Major Android Bug is a Privacy Disaster (CVE-2014-6041)

On the night of September 7, 2014, Joe Vennix of Rapid7's Metasploit Products team wrote, "I did not believe this at first, but after some testing it seems true: in AOSP browser before Android 4.4, you can load javascript into any arbitrary frame or window [...]" and provided a Metasploit module to exploit this condition. After some of the usual testing and confirmation of the vulnerability, this module is available in all versions of Metasploit.

The vulnerability that Joe didn't believe is CVE-2014-6041, and was disclosed on September 1, 2014 by Rafay Baloch on his blog,Rafay Hacking Articles. By malforming a javascript: URL handler with a prepended null byte, an attacker can avoid the Android Open Source Platform (AOSP) Browser's Same-Origin Policy (SOP) browser security control.

 

What this means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page. Imagine you went to an attackers site while you had your webmail open in another window -- the attacker could scrape your e-mail data and see what your browser sees. Worse, he could snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.

 

This is a privacy disaster. The Same-Origin Policy is the cornerstone of web privacy, and is a critical set of components for web browser security. Oh, and it gets worse.

 

When this vulnerability was announced by Balcoh, it was met with... total silence. There has been no acknowledgement of the bug from Google, as far as we can tell. There's no listing of this bug on CVEDetail's readout of Android issues, and no chatter (we could find) in the Android security community about this bug.

 

Research and testing is still ongoing to plumb the depths of this issue. We'd like to pin down exactly when the bug was fixed, and to determine just how widespread this vector really is. After all, pre-4.4 builds of Android account for about 75% of the total Android ecosystem today.

 

More importantly, 4.2 (Jellybean) and prior phones account for nearly 100% of off-the-shelf, lower-end prepaid phones from major manufacturers and carriers. They still ship the unsupported AOSP browser. These are the kinds of phones that account for a huge chunk of total market share, and yet are still vulnerable to this bug and the WebView addJavascriptInterface vulnerability.

 

While the AOSP browser has "been killed off" by Google, it is wildly popular, even on modern devices used by sophisticated users who prefer the stock browser over Google Chrome, Firefox, Dolphin, or other browsers. A quick search for "AOSP browser" turns up page after page of instructions and HOWTOs on re-installing this defunct, unsupported-by-Google software. Among the top pages, I could find absolutely no mention of security concerns in reinstalling the original stock browser.

 

Later this week, I'll have a demo of the bug all video'ed up that's sufficiently shocking. I'd really like to continue the conversation about security for mid- to low-end devices that people trust with the details of their lives. I hope this Metasploit module (which is available today in all versions of Metasploit) spurs along the conversation on what we can do to ensure that the users of normal, off-the-shelf, brand-new phones aren't so vulnerable to privacy violations.

 

Edit: Changed Rafay's disclosure date to September 1, 2014. This appears to be more accurate when considering the GMT timezone. Clarified that the AOSP browser "has been killed off," not all of AOSP.