Force Download

Here we go.
In July 2011, Roee Hay and Yair Amit from the IBM Research Group found the UXSS vulnerability in the default Android browser. This bug allows a malicious application to insert JavaScript code in the context of an arbitrary domain and stole Cookies or to do some evil things. Anyway, this bug was fixed in Android 2.3.5.

On June 21, 2012, Google Chrome for Android was released. I’ve found some interesting bugs there. Just have a look.

UXSS

As expected, the main Chrome activity isnt affected by this vulnerability. However, let’s view the AndroidManifest.xml file from Chrome .apk.


You can see that the class com.google.android.apps.chrome.SimpleChromeActivity can be called from another application, since it has the directive declared.

Decompile classes.dex from apk and look at the SimpleChromeActivity class.


The onCreate method provided above shows that a new URL will be loaded in the current tab without opening a new tab.

Here is a couple of ways to start this activity — via Android API or Activity Manager. Calls from Android API are a bit complicated, so I used "am" command from the adb shell.

shell@android:/ $ am start -n com.android.chrome/com.google.android.apps.chrome.SimpleChromeActivity -d http://www.google.ru


I think here is a non-security problem with content displaying. As we can judge by the title, Chrome loaded www.google.ru in SimpleChromeActivity instead of Main, and this activity has access to the Chrome Cookies database. The next step is injecting JavaScript code.

shell@android:/ $ am start -n com.android.chrome/com.google.android.apps.chrome.SimpleChromeActivity -d javascript:alert(document.cookie)


Voilà, JavaScript has been executed in the context of the domain www.google.ru.

CREDENTIAL DISCLOSURE

Another problem — automatic file downloading — was a real headache for all Chrome-like browsers. If you opened a binary file in the Chrome browser, it was downloaded without your approval to the SDCard directory. The same thing happened with a default browser, where this "feature" was used by NonCompatible malware. So you may ask what it has to do with credential disclosure. Look at the Chrome directory on the system.



These files (such as Cookies, History, etc) can be read only by Chrome app. It looks secure. Try to launch Chrome using the file:// wrapper and open the Cookies file.

shell@android:/ $ am start -n com.android.chrome/com.android.chrome.Main -d file:///data/data/com.android.chrome/app_chrome/Default/Cookies


When the browser starts, Cookies are downloaded/copied to /sdcard/Downloads/Cookies.bin and can be read by any application of the system.

I provided detailed information to the Chromium security team, and these bugs were fixed in version 18.0.1025308.

Links:
http://code.google.com/p/chromium/issues/detail?id=138035
http://code.google.com/p/chromium/issues/detail?id=138210

Author: Artem Chaykin, Positive Research.