Android WebView Remote Code Execution Vulnerability Analysis

Android WebView Remote Code Execution Vulnerability Analysis

In the past, the WebView remote code execution vulnerability has swept a large number of Android apps, and some vulnerability platforms can obtain general information, because many apps with vulnerabilities are not disclosed, WebVeiw remote code execution vulnerability has a greater impact. Due to the high degree of fragmentation of Google's Android system, a large number of Android systems cannot be updated in a timely and effective manner. This vulnerability is still being exploited.

This article introduces the causes, exploitation, and detection methods of WebView vulnerabilities in detail from the concept of webView, and summarizes these vulnerabilities at the end of this article.

??????????

1. Introduction to WebView??

???????? According to Google's documents, WebView is A View that displays web pages inherits the following structure:

We can know that WebView is also a View. In Android, a View can be simply understood as an interface displayed on the screen, while WebView is used to display the web page interface. The main functions of Android WebView are as follows:

WebView can display online webpage content on Activity to implement a Web browser with simple control

The implementation of WebView has greatly changed. WebView on Android <4.4 (KitKat) is implemented based on Webkit, android> = 4.4 WebView is implemented based on Chrome for Android version 30, so the difference is very obvious.

It is easy to use WebView In the Android system. First, you must define the WebView node in layout.

After a WebView node is added to layout, it can be directly used in the Activity,

When webviewactivityis opened, the index.html page is displayed. This is the basic usage of WebView.

??

2. How many CVE related to WebView RCE ??

In Years and years WebView remote code execution-related vulnerabilities mainly include CVE-2012-6336, CVE-2014-1939, CVE-2014-7224, these vulnerabilities are the core of the CVE-2012-6336, the other two CVE just found several default interfaces, the following describes the vulnerabilities.

??3.1 CVE-2012-6636 ??

Android API 16.0 and earlier versions have security vulnerabilities because the program does not properly restrict the use of the WebView. addJavascriptInterface method. Remote attackers can exploit this vulnerability to execute arbitrary Java objects using Java Reflection API.

Google Android <= 4.1.2 (API level 16) is affected by this vulnerability.

??3.2 CVE-2014-1939 ??

Java/android/webkit/BrowserFrame. java uses the addJavascriptInterface API and creates the SearchBoxImpl class object. Attackers can exploit this vulnerability to execute arbitrary Java code by accessing the searchBoxJavaBridge _ interface.

Google Android <= 4.3.1 affected by this vulnerability

??3.3 CVE-2014-7224 ??

Researchers from the Hong Kong Polytechnic University found that when any of the system's auxiliary functions is enabled, all webviews provided by the system will be added to two JS objects, which are accessibility and accessibilityTraversal. Attackers can use the accessibility and accessibilityTraversal Java bridges to execute remote attack code.

?? Google Android <4.4 was affected by this vulnerability.

Iii. WebView RCE vulnerability analysis ??

To understand the WebView Remote Code Execution Vulnerability, you must first understand the JAVA Reflection mechanism (Java Reflection)

??4.1 Java Reflection ??

Reflection is a mechanism provided by the java language that enables Java programs to check classes, interfaces, methods, and Members at runtime, you do not need to know the class name, method, and other details during compilation.
The JAVA reflection mechanism is in the running state. For any class, all attributes and methods of this class can be known; for any object, any method of this class can be called; this kind of dynamically obtained information and the function of dynamically calling object methods is called the reflection mechanism of java language.

To use Java Reflection, we first need to understand the methods for obtaining Class objects. Generally, there are the following methods.

After obtaining the Class object, you can obtain very powerful capabilities. Class Object is the core of the Reflection API. The common methods are as follows:
-GetName ()
-GetFields ()
-GetDeclaredFields ()
-GetMethods ()
For better understanding, refer to the following typical examples.

??4.1.1 execute the Private Method

Using the reflection method, we have successfully called the private a1 method of the Demo.

???????4.1.2 run the command??

?

????

Executing the above java code will write the result of the id command to the/tmp/id file. This code is very similar to the actual situation of the WebView vulnerability.

??4.2 addJavascriptInterface method of WebView??

Next, let's take a look at the actual situation of the WebView vulnerability. The official Android website introduces addJavascriptInterface as follows:

From the above introduction, we can understand that addJavascriptInterface injects a Java Object into WebView, and this Jave Object method can be accessed by Javascript. AddJavascriptInterface is provided to allow Javascript in WebView to communicate with local apps. This is indeed a powerful function. The advantage of this is that the logic of the local App remains unchanged, you can update the program without upgrading the App, and modify the corresponding Web page.

However, in earlier versions of Android, there were no restrictions on accessible methods. Using the reflection mechanism of Java, arbitrary methods of any object can be called, which is the root cause of the WebView vulnerability.

??

4. How can I exploit WebView RCE vulnerabilities ??

Use the affected WebView to access the page containing the following script and execute related commands.

??

Jsinterface is the exported Java object. If the exploitation succeeds, the obtained permission is the app user permission. That is to say, the permission obtained by the WebView vulnerability is the app permission, which is limited by the Android application sandbox, limited by AndroidManifest. permissions applied for in xml. For example, to successfully write the preceding statement to a file, the android. permission. WRITE_EXTERNAL_STORAGE permission must exist in AndroidManifest. xml.

??

5. WebView remote vulnerability detection ??

WebView is used to access the following page. The output interface name is vulnerable. You can use Ajax or other methods to perform automated tests on WebView vulnerabilities.

In Android 4.1.2, access the test page in two ways. The test results are as follows:

(1) No auxiliary function is enabled.
(2) Enable a secondary function

Without patching, JavaScript objects have been successfully detected in CVE-2014-1939 and CVE-2014-7224 vulnerabilities, and this vulnerability detection code is valid.

??

6. Repair Methods and status quo ??

Google announced that it should not provide WebView patches for systems earlier than Android 4.4. For details, see the link.

Therefore, to solve the RCE vulnerability of WebView, the reliable method is to upgrade the Android system to at least API level 17 (Android 4.2). Apart from the most serious RCE vulnerability, WebView, there are also various SOP vulnerabilities, so at least upgrade to Android 4.4 to ensure security, less than Android 4.4 Google does not provide patches. Android 4.4 and later use chrome-based WebView.

After the system API level 17 is upgraded, only the method that shows adding @ JavascriptInterface can be called by JavaScript. This will render reflection ineffective.

We recommend that you use the WebView code to delete the problematic interface. The specific code is as follows:

removeJavascriptInterface(“accessibility”); removeJavascriptInterface(“accessibilityTraversal”); removeJavascriptInterface(“searchBoxJavaBridge_”);

VII. Some Thoughts??

The security issues caused by Java reflection are not limited, which provides us with ideas to explore related vulnerabilities. For example, the jboss seam framework rce of the CVE-2010-1871.

 

Check whether the code is very similar. There is also a popular Spring Framework Remote Code with Expression Language Injection in the previous sections. The principles are similar.

There are not many real new vulnerabilities. Most people make the same mistake. Although people should not fall twice in the same place, in the world of network security, people always fall in the same place.

??

References??

Https://developer.chrome.com/multidevice/webview/overview
Http://developer.android.com/reference/android/webkit/WebView.html
Https://daoyuan14.github.io/news/newattackvector.html
Http://droidsploit.baidu.com/view/14100201.html
Http://tutorials.jenkov.com/javareflection/index.html
Http://javaxden.blogspot.sg/2007/08/hack-any-java-class-using-reflection.html
Http://www.programcreek.com/2013/09/java-reflection-tutorial
Https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews
Https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution