Tuesday, September 1, 2015

Android Browser All Versions - Address Bar Spoofing Vulnerability - CVE-2015-3830

Introduction

Google security team themselves state that "We recognize that the address bar is the only reliable security indicator in modern browsers" and if the only reliable security indicator could be controlled by an attacker it could carry adverse affects, For instance potentially tricking users into supplying sensitive information to a malicious website due to the fact that it could easily lead the users to believe that they are visiting is legitimate website as the address bar points to the correct website.  

Android Stock Browser Address Bar Spoofing


Few months ago i discovered an address bar spoofing vulnerability affecting Android Stock Browser on all Android versions. The tests were carried out on Android Lollipop and later were confirmed on prior versions. 

The issue is caused due to the fact that the browser fails to handle 204 error "No Content" responses when combined with window.open event and therefore allowing us to spoof the address bar.

Steps To Reproduce


1) Visit http://sh.st/vAELA with Unpatched Android Stock Browser.
2) click the "Click here to be redirected" button
3) Android browser will open a new tab with the browser pointing to "http://www.google.com/csi" in the address bar, which makes the victim believe that they are infact visiting a legitimate website, however in reality the page is not hosted on google.com. 
4) As soon as the victim enters his/her credentials, they are sent to attacker.com

Note: Please visit http://sh.st/vAEXZ for unrendered version of the POC.

Proof of Concept

The following is a screenshot of Samsung Galaxy S5 running latest android stock browser, as you may notice that the address bar points to https://www.google.com/csi (Which returns a 204 response), which makes the user believe that he is infact visiting a legitimate site however it's hosted on attacker's domain name. 
 
Notes: Joe Vennix suggests that you might have to play with my timeout value , and he found 1500 - 2000 to work much more consistently. This issue is due to the fact that,  In case if the timeout fires too soon (before the NO CONTENT response is received from gmail.com), the new page will just have a blank URL bar.


Credits

The proof of concept was initially created by me, however it was later modified and improvised by "Joe Vennix". I would like to sincerely thank "Tod Beardsley" from Rapid7 team for handling the disclosure for me. Kudos!

Mitigation

The Android security team has responded by releasing patches committed to both Kitkat and Lollipop main distributions. Users are advised to contact their carriers to determine if they have received updated versions of these operating systems."
Share:

1 comment:

  1. Using AVG protection for a few years now, I'd recommend this product to all you.

    ReplyDelete

as