Shulou(Shulou.com)05/31 Report--

This article introduces the Outlook Android version of APP cross-site vulnerability CVE-2019-1105 example analysis, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Outlook may be one of the more popular email APP at present. Recently, the research team of CyberArk has discovered a cross-site vulnerability (XSS) of Outlook Android version of APP-CVE-2019-1105, which can be used to implement arbitrary JavaScript code execution in E-mail email. In this article, let's take a look at the specific causes of the vulnerability.

Vulnerability exploitation

The general exploit goes like this: if we send an email containing Payload to the victim's mailbox, when the victim opens the email, it will pop up in a XSS window like the following:

Causes of loopholes

We can do a reverse analysis of Outlook for Andriod's APK program. In the assets resources directory, we find a JavaScript file called "emailRenderer-android.js", which, as the name implies, loads mail messages and displays them to users. In this JavaScript file, there is a function named "layout" where it calls a method named "_ linkifyPhoneNumbers". As follows:

Here, let's talk about the Linkify class. Android.text.util.Linkify is an auxiliary class that automatically creates hyperlinks in TextView classes (and inherited classes) through RegEx style matching. Text that conforms to a specific RegEx style is transformed into clickable hyperlinks, which implicitly call startActivity (new Intent (Intent.ACTION_VIEW, uri)), and the matching text is used as the target URI. You can specify any string style as a link. For convenience, the Linkify class provides four preset common content types (email address, phone number, web address, and home address).

The first step of the _ linkifyPhoneNumbers method is to create a regular expression object that contains possible mobile phone number patterns, as follows:

As shown in the figure above, the _ linkifyPhoneNumbers regular expression matches a 7-digit sequence. After that, the linkifyPhoneNumbers function defines the second inner function "replacer", which first parses the mobile phone number, as follows:

If the parsing is successful, the inner function "replacer" converts the number digits into a corresponding link, then adds 1 to the counter and returns the data:

Go back to the outer function of _ linkifyPhoneNumbers, where _ linkifyPhoneNumbers will test whether the regular expression it defines matches each HTML element in the message. If the match is successful, the outer function will call the inner function replacer and return data. In this way, the message content can be replaced with some unescaped text content, and the loophole will be created:

In this way, after the numbers are converted into links, there is no escape in terms of content, and the attacker can send a string of digits that match the regular expression, add 1 to the counter in the replacer function, and then replace the original message content, that is, replace the message with the regular expression phone number with some unescapable XSS Payload.

Using HTML 5 API to implement XSS

HTML 5 API has a variety of new features, so we can use it to conduct an exploit test against the above vulnerabilities. Here, let's take a look at the interface function of Navigator, which represents a current state and client identity information that can be queried and registered as an operation using a script. We take the Navigator.vibrate () vibration method as an example to illustrate that when a malicious email is opened by the victim, this method will cause the mobile phone device to produce a vibration pulse. The following Payload can be used in combination:

But it's not enough to generate vibrations. We can insert a remote script into it to become:

We can use the XMLHttpRequest object to create a complex script that is responsible for communication between the victim user's browser and the redirected web server that we control. Use XMLHttpRequest to redirect the victim as follows:

The above code verifies the status of the HTTP response code and converts the link to a link window in outlook-specific olm format that pops up, as follows:

However, the received status code is 0, which indicates that there is an error according to MDN XMLHttpRequest.status. After some analysis and study, we found that there is a cross-site resource sharing CORS protection measure, so it needs to be bypassed. Here, we use cors-anywhere proxy to make the following changes to the above code:

In this way, our CORS bypass can be successful. By using burp collaborator as the blocking agent, we can effectively look up the malicious message parameters we constructed from the User-agent information of the XSS victim:

Web application function is embedded in many mobile APP. Once the Web application in this architecture has a problem similar to XSS, it will inevitably involve its own mobile application.

This is the case analysis of the cross-site vulnerability CVE-2019-1105 of Outlook Android version of APP. I hope the above content can be helpful to everyone and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.