Analysis of WebView Remote Code Execution Vulnerability in Android
1. WebView Remote Code Execution Vulnerability description
There is a remote code execution security vulnerability in Android API level 16 and earlier versions. The vulnerability stems from that the program does not correctly restrict the use of webview.addjavascriptinterface method. Remote attackers can use java reflection API to execute the method of arbitrary Java objects, Simply put, add a JavaScript bridge interface to WebView through addjavascript interface. JavaScript can directly operate the local java interface by calling this interface. The vulnerability was first published in cve-2012-6636 [1], which describes a remote code execution security vulnerability caused by the addjavascriptinterface API in WebView.
Recently, several popular Android applications have been exposed to high-risk hanging horse vulnerabilities: when clicking on a message or a website in the circle of friends' community, the user's mobile phone will automatically execute the code instructions of the hanging horse, resulting in the installation of malicious fee deduction software, sending fraudulent SMS to friends, the theft of address book and SMS and remote control. On the dark cloud vulnerability platform, a large number of top applications such as wechat, QQ, Tencent microblog, QQ browser, webcast, baidu browser and Jinshan browser of Android version have been exposed to the same type of vulnerabilities.
The paper attacks on WebView in the Android system [2] points out that the exported read-write file interface can be used to read and write files. Attackers can tamper with the page displayed by WebView through man in the middle attack to control the mobile phone file system.
2. Influence scope of WebView remote code execution
Android API level is less than 17 (i.e. system versions before Android 4.2)
3. WebView Remote Code Execution Vulnerability details
1) WebView Remote Code Execution Vulnerability location:
WebView.addJavascriptInterface(Object obj,String interfaceName)
2) WebView Remote Code Execution Vulnerability triggering precondition:
Use the addjavascriptinterface method to register Java objects that can be called by JavaScript;
Use WebView to load external web pages or local web pages;
Android system version is lower than 4.2;
3) WebView Remote Code Execution Vulnerability principle:
The Android system registers Java objects that can be called by JavaScript through the webview.addjavascriptinterface method to enhance the functions of JavaScript. However, the system has no restrictions on method calls to register Java classes. As a result, attackers can call any other unregistered Java classes by using the reflection mechanism, resulting in unlimited enhancement of JavaScript capabilities. An attacker can exploit this vulnerability to do whatever he wants according to the capabilities of the client.
4. WebView Remote Code Execution Vulnerability POC
1) Use the addjavascriptinterface method to register the Java object "injectedobj" that can be called by JavaScript, and use the reflection mechanism to call the Android API sendtextmessage to send short messages.
Java code:
Javascript code for exp:
2) Use the addjavascriptinterface method to register the Java object "injectedobj" that can be called by JavaScript, and use the reflection mechanism to call the Android API getruntime to execute the shell command:
Javascript code for exp:
Implementation results after utilization:
3) Use the addjavascriptinterface method to register the Java object "injectedobj" that can be called by JavaScript, and use the reflection mechanism to call the Android API getruntime to execute the shell command, so as to rebound a mobile phone shell to the remote control end:
Javascript code for exp:
Results after execution:
4) Use the addjavascriptinterface method to register the Java object "injectedobj" that can be called by JavaScript, and use the reflection mechanism to call the Android API getruntime to execute the shell command to hang up: a install the Trojan application APK, B install and execute the elf executable program;
Simply install the JavaScript code of sending SMS Trojan APK and exp:
It can be seen from the figure below that we have spliced into an APK program and disguised as a PNG picture:
As can be seen from the figure below, we have successfully installed the fake.png APK program:
For example, the popular androrat remote control program on the Internet, the attacker can simply install the remote control Trojan application APK to achieve the purpose of remote control of the user's mobile phone.
Exploit vulnerabilities to splice executable elf programs, and execute the elf programs to achieve the purpose of doing whatever you want, blog about WebView JavaScript bridges
【3】 The POC of stealing sdcard files by ELF executable program under non root conditions is also realized. It can be seen that the vulnerability is very harmful:
Javascript code for exp:
"Testbin" file has been spliced and generated, as shown in the following figure:
The results after execution are as follows:
5. WebView Remote Code Execution Vulnerability repair suggestions
1. Android system with API level equal to or higher than 17 [4]
For security reasons, in order to prevent the functions of the Java layer from being called arbitrarily, after version 4.2, Google stipulated that the functions allowed to be called must be annotated with @ javascriptinterface. Therefore, if the API level relied on by an application is 17 or above, it will not be affected by this problem (note: applications with API level less than 17 in Android 4.2 will also be affected). Use example according to Google official document [5]:
2. Android system with API level equal to or higher than 17
It is recommended not to use the addjavascriptinterface interface to avoid unnecessary security risks. Please refer to the blog post how to make JS and Java call each other safely in WebView [6].
If you must use the addjavascript interface interface:
1) If the URL is loaded using HTTPS protocol, certificate verification shall be carried out to prevent the accessed page from being tampered with;
2) If the URL is loaded using HTTP protocol, whitelist filtering and integrity verification shall be carried out to prevent the accessed page from being tampered with;
3) If the local html is loaded, the HTML file should be built into the APK and the integrity of the HTML page should be verified;
3. Remove the default built-in interface inside the Android system
Meanwhile, in 2014, it was found that the default built-in one in WebKit in Android system search@R_ 627_ 2419@JavaBridge_ There is also a Remote Code Execution Vulnerability in the interface, which was published in cve-2014-1939 [7]. It is recommended that the developer remove the JavaScript interface in the following ways:
In 2014, researchers Daoyuan Wu and rocky Chang of Hong Kong Polytechnic University found two new attack vectors in Android / WebKit / accessibilityinjector.java, namely "accessibility" and "accessibilitytraversal". The application calling this component will cause a Remote Code Execution Vulnerability in the Android system that opens the third-party service in the auxiliary function option. The vulnerability was published in cve-2014-7224. The principle of this vulnerability is similar to search@R_ 627_ 2419@JavaBridge_ The remote code execution of the interface is similar, and the unsafe default interface is not removed. It is recommended that the developer remove the JavaScript interface in the following ways:
Reference articles
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE -2012-6636
[2] Attacks on WebView in the Android System
[3] http://50.56.33.56/blog/?p=314
[4] Google Official Android API Level Reference
[5] http://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface (java.lang.Object,java.lang.String)
[6] How to make JS and Java call each other safely in WebView
[7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE -2014-1939
summary
The above is the whole content of this article. I hope the content of this article has a certain reference value for your study or work. If you have any questions, you can leave a message. Thank you for your support for programming tips.