module
Android Browser and WebView addJavascriptInterface Code Execution
Disclosed | Created |
---|---|
12/21/2012 | 05/30/2018 |
Disclosed
12/21/2012
Created
05/30/2018
Description
This module exploits a privilege escalation issue in Android that arises when untrusted JavaScript code is executed by a WebView that has one or more
Interfaces added to it. The untrusted JavaScript code can call into the Java Reflection
APIs exposed by the Interface and execute arbitrary commands.
Some distributions of the Android Browser app have an addJavascriptInterface
call tacked on, and thus are vulnerable to RCE. The Browser app in the Google APIs
4.1.2 release of Android is known to be vulnerable.
A secondary attack vector involves the WebViews embedded inside a large number
of Android applications. Ad integrations are perhaps the worst offender here.
If you can MITM the WebView's HTTP connection, or if you can get a persistent XSS
into the page displayed in the WebView, then you can inject the html/js served
by this module and get a shell.
Note: Adding a .js to the URL will return plain javascript (no HTML markup).
Interfaces added to it. The untrusted JavaScript code can call into the Java Reflection
APIs exposed by the Interface and execute arbitrary commands.
Some distributions of the Android Browser app have an addJavascriptInterface
call tacked on, and thus are vulnerable to RCE. The Browser app in the Google APIs
4.1.2 release of Android is known to be vulnerable.
A secondary attack vector involves the WebViews embedded inside a large number
of Android applications. Ad integrations are perhaps the worst offender here.
If you can MITM the WebView's HTTP connection, or if you can get a persistent XSS
into the page displayed in the WebView, then you can inject the html/js served
by this module and get a shell.
Note: Adding a .js to the URL will return plain javascript (no HTML markup).
Authors
jduck joev
Platform
Android,Linux
Architectures
dalvik, x86, armle, mipsle
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/android/browser/webview_addjavascriptinterface msf /(e) > show actions ...actions... msf /(e) > set ACTION < action-name > msf /(e) > show options ...show and set options... msf /(e) > run

NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.