Two New Attack Vectors to Aggravate the Android addJavascriptInterface RCE Issue (CVE-2014-7224)

Daoyuan Wu and Rocky K. C. Chang
The Hong Kong Polytechnic University
Sep 29, 2014

The Android addJavascriptInterface Remote Code Execution (RCE) issue is a disaster in Android ecosystem (see background knowledge here and here). CVE had assigned CVE-2012-6636 for the basic issue, and CVE-2013-4710 for attack vectors introduced in some devices, and CVE-2014-1939 for the default searchBoxJavaBridge_ vector in specific Android versions. For the defense side, developers are recommended to not invoke the addJavascriptInterface API, and meantime call removeJavascriptInterface("searchBoxJavaBridge_") to avoid the by-default impact.

Today we identify two new attack vectors, "accessibility" and "accessibilityTraversal", by default introduced by android/webkit/AccessibilityInjector.java. These two exposed JS objects only occur when users open one of the accessibility services in their Android devices, such as the default TalkBack or third-party ones. The following first figure shows two accessibility services in a Samsung device. Once opened, the aforementioned two JS objects will be injected into each WebView component, causing the addJavascriptInterface RCE issue pervasive.

Consequence: it causes an originally secure app vulnerable. As demoed in the last two figures, the originally protected 360 Mobile Safe and Wechat apps now become vulnerable (when we open the system accessibility service). We tested this system issue on Samsung Grand (Android 4.1). The AccessibilityInjector occurs until Android 4.3 (i.e., not including 4.4), see here.

Advice: for end users, we suggest you not to open the accessibility services. For app developers, we believe you should invoke removeJavascriptInterface("accessibility") and removeJavascriptInterface("accessibilityTraversal") in an appropriate way to reduce its by-default attack impact. For Android team and ROM developers, please consider to remove such JS objects, and double check whether there are other system services can by default introduce JS interface objects into WebView components.

Timeline:
2014/09/29: we notified CVE and Google Android team on this system issue.
2014/09/30: Google acknowledged our report.
2014/10/02: CVE assigned the CVE-2014-7224 for this issue.

Referred by other security reports:
2014/10/09: WooYun-2014-78617 (The reporter even won a cash award, lol).
2014/10/20: Baidu Security Lab tested this issue in more smartphones.