Category: Vulnerabilities

Sep 16 2013

Android WebView Exploit Allows Hackers to Install Malicious Apps

There’s a vulnerability that affects WebView control in Android applications installed on Android devices running versions older than 4.2.

This vulnerability makes a large number of Android applications act as a hacker pipeline into user’s devices and provides a way to install malicious software, send SMSs and more.

Android WebView Exploit

WebView allows the user to view a web application (or just a web page) as a part of an ordinary Android application. The WebView class is an extension of Android’s View class that allows you to display web pages as a part of the appication’s screen layout.

All that WebView does, by default, is show a web page. When developing an Android application, if the web page you plan to load in your WebView uses JavaScript, you must enable JavaScript for your WebView.

Once JavaScript is enabled, you can create interfaces between your application code and your JavaScript code.

addJavascriptInterface (Object object, String name) method:
The addJavascriptInterface method injects a supplied Java object into WebView.
The object is injected into the JavaScript context of the main frame, using a supplied name and this allows the Java object’s methods to be accessed from JavaScript.

For applications running Android 4.1 or older, all public methods (including the inherited ones) can be accessed, so when a user’s installed application with addJavascriptInterface method loads an external webpage it can use WebView and javascript to call a java object (like a ‘Javascript pipeline’ and usage of reflection to invoke any other unregistered Java class) which allows attackers to call Android’s Java methods.

The Fix:
For applications running Android 4.2 all public methods that are annotated with JavascriptInterface can be accessed from JavaScript.

So if you develop an application for SDK version 17 or higher, you must add the @JavascriptInterface annotation to any method that you want available to your JavaScript.

If you do not provide the annotation, the method is not accessible by your web page when running on Android 4.2 or higher.

Infection Method:
Users can be infected when they click on a URL link using a vulnerable application that allows opening a Java enabled browser or web page.

The device will automatically perform the malicious actions that were ordered in the malicious web page that contain those JavaScript commands.

The commands in the JavaScript code can enable attackers to install malicious software, send SMSs, steal personal information and more.

Source: Analyzing an Android WebView exploit : AVG Official Blogs

Sep 10 2013

Report : PHP SuperGlobals are Vulnerable to Hackers

PHP SuperGlobals VulnerabilityIn the most recent Hacker Intelligence Initiative Report – “PHP SuperGlobals: Supersized Trouble“, Imperva analyses vulnerabilities found in the SuperGlobal parameters of the PHP platform, and finds that a multi-step attack requires a multi-layered application security solution.

In addition to local and global scope variables, PHP has several predefined variables that are called SuperGlobals. These variables are available to the PHP script in both scopes, with no need for explicit declaration. 4 SuperGlobals were introduced to PHP in version 4.1.0.

The PHP SuperGlobal parameters are gaining popularity within the hacking community because they incorporate multiple security problems into an advanced web threat that can break application logic, compromise servers, and result in fraudulent transactions and data theft.

In one month, Imperva’s research team noted an average of 144 attacks per application that contained attack vectors related to SuperGlobal parameters. Furthermore, researchers witnessed attack campaigns lasting more than five months with request burst floods of up to 90 hits per minute on a single application.

The effects of these attacks can be great as the PHP platform is by far the most popular web application development platform, powering more than 80 percent of all websites, including Facebook and Wikipedia. Clearly, it is time for the security community to devote more attention to this issue.

The report also finds that hackers are increasingly capable of packaging higher levels of sophistication into simpler scripts, and identifies PHP SuperGlobals as a prime target that yields a high return on investment.

“Exploits Against PHP Applications Can Affect the General Security and Health of the World Wide Web”.

Sep 02 2013

Facebook Vulnerability that Allowed any Photo to be Deleted Earns $12,500 Bounty

Facebook BountyAn Indian electronics and communications engineer who describes himself as a “security enthusiast with a passion for ethical hacking” has discovered a Facebook vulnerability that could have allowed for any photo on the site to be deleted without the owner’s knowledge.

Arul Kumar, a 21 year old from Tamil Nadu, discovered that he could delete any Facebook image within a minute, even from verified pages, all without any interaction from the user.

For his efforts in reporting the vulnerability to Facebook’s whitehat bug bounty program Kumar received a reward of $12,500.

The vulnerability that he discovered was based around exploiting the mobile version of the social network’s Support Dashboard, a portal that allows users to track the progress of any reports they make to the site, including highlighting photos that they believe should be removed.

Kumar explained his bug by using a demo account, as well as sending Facebook a proof of concept video in which he showed how he could have removed Mark Zuckerberg’s own photos from his album.

By following Facebook’s whitehat guidelines he was able to pick up his deserved bounty.

Aug 14 2013

Android Malware Exploiting Google Cloud Messaging Service

Google Cloud Messaging Hacking Researchers have discovered a number of malicious Android apps are using Google’s Cloud Messaging (GCM) service and leveraging it as a command and control server to carry out attacks.

A post on Securelist today by Kaspersky Lab’s Roman Unuchek, breaks down five Trojans that have been spotted checking in with GCM after launching.

  • Trojan-SMS.AndroidOS.FakeInst.a
  • Trojan-SMS.AndroidOS.Agent.ao
  • Trojan-SMS.AndroidOS.OpFake.a
  • Backdoor.AndroidOS.Maxit.a
  • Trojan-SMS.AndroidOS.Agent.az

These trojans having a relatively wide range of functions:

— Sending premium text messages to a specified number
— Sending text messages to a specified number on the contact list
— Performing self-updates
— Stealing text messages
— Deleting incoming text messages that meet the criteria set by the C&C
— Theft of contacts
— Replacing the C&C or GCM numbers
— Stopping or restarting its operations
— Generate shortcuts to malicious sites
— Initiate phone calls
— Collect information about the phone and the SIM card & upload on server

Kaspersky Lab detected millions of installers in over 130 countries and Kaspersky Mobile Security (KMS) blocked attempted installations for these Trojans.

No doubt, GCM is a useful service for legitimate software developers. But virus writers are using Google Cloud Messaging as an additional C&C for their Trojans. Furthermore, the execution of commands received from GCM is performed by the GCM system and it is impossible to block them directly on an infected device.

The only way to cut this channel off from virus writers is to block developer accounts with IDs linked to the registration of malicious programs.

Jan 10 2013

New Java 0-Day Exploit Spotted in the Wild

Java 7 0-Day ExploitA new Java 0-day vulnerability has been discovered, and is already being exploited in the wild. Currently, disabling the plugin is the only way to protect your computer.

Description:
The MBeanInstantiator in Oracle Java Runtime Environment (JRE) 1.7 in Java 7 Update 10 and earlier allows remote attackers to execute arbitrary code via vectors related to unspecified classes that allow access to the class loader, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681.

Impact:
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system.

CVE Standard Vulnerability Entry: CVE-2013-0422

This actual vulnerability was later confirmed by security firm AlienVault Labs. With Kafeine’s help, the company reproduced the exploit on a new, fully-patched installation of Java, and used a malicious Java applet to remotely execute the Calculator application on Windows XP as shown in the below screen-shot:

Java 7 update 10 0-day exploit demo