Remote exploit of Apache Cordova on Android
Vulnerability Disclosure – CVE-2015-1835
A new vulnerability has been identified in Apache Cordova on Android up to v4.0.1 (v3.7.2 excluded).
Before understanding this vulnerability, it is useful to understand following concepts exploited by the vulnerability:
Android platform supports a feature called intents.
An Intent is a messaging object you can use to request an action from another app component. Although intents facilitate communication between components in several ways, there are three fundamental use-cases:
data-blogger-escaped-comment-[if !supportLists]1. data-blogger-escaped-comment-[endif]To start a service
data-blogger-escaped-comment-[if !supportLists]2. data-blogger-escaped-comment-[endif]To start an activity
data-blogger-escaped-comment-[if !supportLists]3. data-blogger-escaped-comment-[endif]To deliver a broadcast
Intents can be Explicit or Implicit. Implicit intents can be used for exploitation easier than explicit ones. These do not name a specific component, but instead declare a general action to perform, which allows a component from another app to handle it.
Android applications built with the Cordova framework load configuration parameter values from Config.xml. In the config file, developers may not explicitly set values for all the configuration parameters. These apps that don’t have explicit values set in Config.xml can have undefined configuration variables set by other apps through the use of Intent. This can lead to exploitation of vulnerability and modify the behavior of the application, including but not limited to app force-closing and unwanted dialogs appearing in the application.
How widespread is this?
The issue affects up to 5.61% of apps on Android platform, according to statistics from AppBrain, with top categories being Business, Medical and Finance.
Mitigation requires rebuilding of the apps using latest release of Cordova Android. The new release entirely removes the ability of configuration parameters to be set by intents. This change is an API change in the platform.
Developers who are concerned about this should rebuild their applications with either Cordova Android 4.0.2, or Cordova 3.7.4 if they are unable to upgrade to Cordova 4.0.2.
We recommend all the developers using the exploitable version of Apache Cordova to upgrade their apps to the latest version of the release. Android users, if you are seeing crashes and unexpected dialogs in your applications, you may be able to blame it on this vulnerability