New Android Phones Hijackable With Chrome Exploit

mask.of.sanity writes: Google's Chrome for Android has been popped with a single exploit that could lead to the compromise of any handset. The exploit, showcased at MobilePwn2Own at the PacSec conference, targets the JavaScript v8 engine and compromises phones when users visit a malicious website. It is also notable in that it is a single clean exploit that does not require chained vulnerabilities to work.

Not yet disclosed

[unencode200x]

From TFA "acSec Google's Chrome for Android has been popped in a single exploit that could lead to the compromise of any handset.

The exploit, showcased at MobilePwn2Own at the PacSec conference in Tokyo yesterday but not disclosed in full detail, targets the JavaScript v8 engine. It can probably hose all modern and updated Android phones if users visit a malicious website"

Re:

[unencode200x]

Actually, my bad, TFA says there was someone from Google there who got a copy of it. Interesting though. They say all that needed to be done is to go to this website and with only one vul you own the phone w/o user interaction.

Re:

[sexconker]

What devices? I bet you can root, but not get perma root.

This attack still wouldn't unlock the bootloader for some of the more locked-down devices.

Re:

[wardrich86]

I'd be happy with a soft root on my S5. I'm still under warranty so I don't want to trip Knox just yet. As far as I know, though, there's no option aside from flashing with an S5 on Lollipop.

Re:

[sad_]

Not disclosed, but that doesn't mean it is unknown. Some other, blackhat hacker may be aware of and using it already, perhaps even months/years before it's recent public discovery.

Well at least it won't require an OS update to fix

[Karlt1]

Since Google can update Chrome for Android without requiring the OEM's and the carriers, it's not as bad as most Android security vulnerabilities.

Re:

[BradleyUffner]

Java was touted as to be secure write-once, run-everywhere. Impervious to trivial things like heap overflows and buffer overruns.

This is an exploit in JavaSCRIPT, not Java.

Re:

[jrumney]

Also the stagefright buffer overflow, which the GP mentioned after that was in C code, not Java.

Re:

[Fnord666]

Java is to Javascript as car is to carpet.

Re:

[meerling]

Javascript was named Livescript before the whole Java thing became super buzzworth so they changed the name to grab some coattail action.
It seems to have worked for them, but it doesn't change the fact that Javascript and Java are NOT the same thing.

Re:

[viperidaenz]

Java code is impervious to trivial things like heap overflows and buffer overruns.

The JVM itself, is a regular C/C++ application and is not.

Also, this has nothing at all to do with Java, it's a JavaScript virtual machine, written in C++.

LD_LIBRARY_PATH

[emil]

Can someone please explain to me why LD_LIBRARY_PATH does not point first to a /data/lib directory, where an app-store had a chance of patching a flaw in /system?

I am updating vlcplayer at least once every three months - why did Google decide to carve the stagefright libraries into /system stone with no hope of updating?

At least this bug does not impact me - I rooted and torched stock because of the SOP bug, and Chrome just on principle.

Re:

[Sark666]

yeah not as bad... you mean on the flipside when it's an OS issue and you're fucked?

Re:

[Coren22]

Go app yourself.

Does it work on the Blackberry Priv?

[barlevg]

Really curious how effective all of Blackberry's hardening techniques really ended up being.

Re:

[macs4all]

Almost all toilets in North America have a plunger sitting right next to them. That shows forward thinking!

No, it shows the abomination that is most "Low Flush" toilets.

Seriously, the low-flush toilet at my work is so lame that you have to literally un-wad (or unroll) the "soiled" toilet paper and "feed it" down the hole like a party-streamer, or else it will instantly clog. And I'm not talking soccer-ball sized wads, neither; more like not even a baseball-size.

By contrast, my most-excellent (and relatively cheap) Niagara low-flow toilet only gets clogged about once a year or two, no matter how much paper I

Re:

[macs4all]

I've always found the term "morbidly obese" to be funny. Sounds like the name of one of those Scandinavian death metal bands. Imagine four or five fat-assed guys jamming on a stage and the stage collapsing from the weight.

You mean like THIS [youtube.com]?

No chained vulnerabilities? Really?

[Greger47]

It is also notable in that it is a single clean exploit that does not require multiple chained vulnerabilities to work, the researchers say.

I have a hard time believing that. On Android V8 and the rest of the layout engine run in a restricted sandbox service that has no permissions to install apps.

In addition to exploiting V8 they must be using a separate privilege escalation in the Android userspace or Linux kernel to install the APK, especially if there is no interaction needed like accepting the standard install dialog.

I'm sure curious to hear the real story when Google releases a fix.

/greger

Re:

[Greger47]

Yea you are right, that sounds like a plausible way to do it.

A notification will still show up, but the app will probably have time to launch it's malicious payload using a broadcast receiver or such before the user has a chance to do anything about it.

/greger

Re:

[swillden]

Yea you are right, that sounds like a plausible way to do it.

A notification will still show up, but the app will probably have time to launch it's malicious payload using a broadcast receiver or such before the user has a chance to do anything about it.

/greger

Well, it would require getting a malicious app into Play, and the user would still have to launch the app after installing it. Getting a malicious app into Play used to be easy but now they're scanned before publishing, and the scanner is pretty good these days.

Re:

[swillden]

and the user would still have to launch the app after installing it

I should say "and the user would still have to launch the app after it's installed, unless the attacker can find and exploit a bug in the code that unpacks and compiles the APK".

Wait, *javascript* is vulnerable?

[cfalcon]

Man, I'm so surprised that the problem happened with javascript. It's just so unprecedented that javascript would have a vulnerability. It has such a good history, you know, of safety.

Not that I'm speaking in favor of Chrome here either- the rumored ios exploit used the ios version of chrome, and it's not been the most secure browser or anything on Windows.

But I just don't understand why every browser jumps through every hoop possible to fully support even the stupidest javascript everything. On a PC you need a bunch of special addons to limit the damage, and generally your options are "block all scripts" or "allow all scripts", with no ability to say "allow scripts that don't X, Y, or Z". Browsers should absolutely allow more restrictive profiles here, and probably the default should not fully implement javascript, which maintains its record of pile of shit virus vector for twenty years straight.

Re:

[cfalcon]

You could block the ability to access elements of certain types (if type is application/pdf, don't allow it to be appended to body or etc.).

You could block the ability of it to retrieve or view anything but a default set of variables (font list fingerprinting, end it pls- you could fix this in CSS with a setting too, while you are at it)

You could block the ability of it to EVER trigger a goddamned thing on the right mouse button. You could replace that with some alternate control, such that right mouse but

Your Honor!

[ThatsNotPudding]

...javascript, which maintains its record of pile of shit virus vector for twenty years straight.

"Objection! The record clearly shows that my clients trash programs holds this title outright!" -- Adobe Space Chicken lawyer.