New Android Phones Hijackable With Chrome Exploit

mask.of.sanity writes: Google's Chrome for Android has been popped with a single exploit that could lead to the compromise of any handset. The exploit, showcased at MobilePwn2Own at the PacSec conference, targets the JavaScript v8 engine and compromises phones when users visit a malicious website. It is also notable in that it is a single clean exploit that does not require chained vulnerabilities to work.

Not yet disclosed

[unencode200x]

From TFA "acSec Google's Chrome for Android has been popped in a single exploit that could lead to the compromise of any handset.

The exploit, showcased at MobilePwn2Own at the PacSec conference in Tokyo yesterday but not disclosed in full detail, targets the JavaScript v8 engine. It can probably hose all modern and updated Android phones if users visit a malicious website"

Re:Not yet disclosed

[unencode200x]

Actually, my bad, TFA says there was someone from Google there who got a copy of it. Interesting though. They say all that needed to be done is to go to this website and with only one vul you own the phone w/o user interaction.

Re:Not yet disclosed

Frankly I want a copy. Neither my tablet nor phone is rootable. Damn you Verizon.

Re:Not yet disclosed

[sexconker]

What devices? I bet you can root, but not get perma root.

This attack still wouldn't unlock the bootloader for some of the more locked-down devices.

Re: Not yet disclosed

Javascript still seems to be a piece of shit technology after more than 15 years. The basic idea is to allow code execution from any place you casually visit on your device. How about trying to fix the root cause and not allowing code execution from random web sites? Disable javascript or at least use a whitelist. And no, the browser isn't a good application platform. It's pretty useless.

Re:Not yet disclosed

[sad_]

Not disclosed, but that doesn't mean it is unknown. Some other, blackhat hacker may be aware of and using it already, perhaps even months/years before it's recent public discovery.

Re:Not yet disclosed

[wardrich86]

I'd be happy with a soft root on my S5. I'm still under warranty so I don't want to trip Knox just yet. As far as I know, though, there's no option aside from flashing with an S5 on Lollipop.

wtf google

Chrome application can install arbitrary apks now?
Sounds very fishy.

Well at least it won't require an OS update to fix

[Karlt1]

Since Google can update Chrome for Android without requiring the OEM's and the carriers, it's not as bad as most Android security vulnerabilities.

Does it work on the Blackberry Priv?

[barlevg]

Really curious how effective all of Blackberry's hardening techniques really ended up being.

Re:Does it work on the Blackberry Priv?

You are giving RIM way too much credit. The only reason the original Blackberry was secure was that it did fuck all. Their BBOS10 stuff was secure because nobody cared to hack it, no user base, no target.

Re:Does it work on the Blackberry Priv?

The ignorance displayed in your comment is astounding. BB10 passed with flying colors at this same event for two years in a row -- nobody was able to crack it and not for lack of trying. Wouldn't you like to be the first person in history to root a BlackBerry?

High-clearance people are still required to use BlackBerries because the DoD and other alphabet soup agencies know a lot more than you do.

I'm guessing the Priv is just as vulnerable as any Android phone.

Re:Does it work on the Blackberry Priv?

Speaking of ignorance...

Re: Does it work on the Blackberry Priv?

BB10 has the best out of box experience. Android and iOS rely on apps to be useful. BlackBerry couldn't get the major apps and without the Instagram and snapchats, it couldn't get the eco system. If you're not the kind of person who installs app and mainly uses mail, text, browsing, or media, you'd much prefer BB10, you just don't know because you've never tried it.

Search "BlackBerry Z30 Defeats Rivals at CES competition".

Funny

I've always found the term "morbidly obese" to be funny. Sounds like the name of one of those Scandinavian death metal bands. Imagine four or five fat-assed guys jamming on a stage and the stage collapsing from the weight.

I've often wondered if truly fat people don't create a seal when they sit on the toilet. Do they have to lean to one side to break the seal. Psssssssssssssssttttttttttt!!!!!

Re:Funny

[macs4all]

I've always found the term "morbidly obese" to be funny. Sounds like the name of one of those Scandinavian death metal bands. Imagine four or five fat-assed guys jamming on a stage and the stage collapsing from the weight.

You mean like THIS?

Re:Funny

[macs4all]

Almost all toilets in North America have a plunger sitting right next to them. That shows forward thinking!

No, it shows the abomination that is most "Low Flush" toilets.

Seriously, the low-flush toilet at my work is so lame that you have to literally un-wad (or unroll) the "soiled" toilet paper and "feed it" down the hole like a party-streamer, or else it will instantly clog. And I'm not talking soccer-ball sized wads, neither; more like not even a baseball-size.

By contrast, my most-excellent (and relatively cheap) Niagara low-flow toilet only gets clogged about once a year or two, no matter how much paper I try to flush. And most of the time, a second flush with clear the clog with no plunging required.

But then, I did my research before I bought that toilet. $150, and it out-flushes pretty much every other toilet out there. I swear, you can flush a tennis ball. And it has the same 3 inch poop-chute as all the other 'Murican toilets.

Re:You know what they say...

[Coren22]

Go app yourself.

No chained vulnerabilities? Really?

[Greger47]

It is also notable in that it is a single clean exploit that does not require multiple chained vulnerabilities to work, the researchers say.

I have a hard time believing that. On Android V8 and the rest of the layout engine run in a restricted sandbox service that has no permissions to install apps.

In addition to exploiting V8 they must be using a separate privilege escalation in the Android userspace or Linux kernel to install the APK, especially if there is no interaction needed like accepting the standard install dialog.

I'm sure curious to hear the real story when Google releases a fix.

/greger

Re:No chained vulnerabilities? Really?

In addition to exploiting V8 they must be using a separate privilege escalation in the Android userspace or Linux kernel to install the APK, especially if there is no interaction needed like accepting the standard install dialog.

A browser logged into a user's account can do remote install from Play with no dialog.

Re:No chained vulnerabilities? Really?

[Greger47]

Yea you are right, that sounds like a plausible way to do it.

A notification will still show up, but the app will probably have time to launch it's malicious payload using a broadcast receiver or such before the user has a chance to do anything about it.

/greger

Re:No chained vulnerabilities? Really?

[swillden]

Yea you are right, that sounds like a plausible way to do it.

A notification will still show up, but the app will probably have time to launch it's malicious payload using a broadcast receiver or such before the user has a chance to do anything about it.

/greger

Well, it would require getting a malicious app into Play, and the user would still have to launch the app after installing it. Getting a malicious app into Play used to be easy but now they're scanned before publishing, and the scanner is pretty good these days.

Re:No chained vulnerabilities? Really?

[swillden]

and the user would still have to launch the app after installing it

I should say "and the user would still have to launch the app after it's installed, unless the attacker can find and exploit a bug in the code that unpacks and compiles the APK".

Re:Well at least it won't require an OS update to

[BradleyUffner]

Java was touted as to be secure write-once, run-everywhere. Impervious to trivial things like heap overflows and buffer overruns.

This is an exploit in JavaSCRIPT, not Java.

Re:Well at least it won't require an OS update to

[meerling]

Javascript was named Livescript before the whole Java thing became super buzzworth so they changed the name to grab some coattail action.
It seems to have worked for them, but it doesn't change the fact that Javascript and Java are NOT the same thing.

Re:Well at least it won't require an OS update to

[viperidaenz]

Java code is impervious to trivial things like heap overflows and buffer overruns.

The JVM itself, is a regular C/C++ application and is not.

Also, this has nothing at all to do with Java, it's a JavaScript virtual machine, written in C++.

Re:Well at least it won't require an OS update to

You, sir, should be in comedy. 2016 will be lucky to see the Linux community come to a uniform agreement on a suitable replacement for X11, let alone any kind of support for touch-based apps. There's no general consensus on uniformity of window managers or toolkits (GTK vs. K vs. QTK vs ...) so what makes you think that even half of the popular linux apps will even work in a touch environment well, let alone even support basic touch gestures beyond basic mouse gesture emulation?

Wait, *javascript* is vulnerable?

[cfalcon]

Man, I'm so surprised that the problem happened with javascript. It's just so unprecedented that javascript would have a vulnerability. It has such a good history, you know, of safety.

Not that I'm speaking in favor of Chrome here either- the rumored ios exploit used the ios version of chrome, and it's not been the most secure browser or anything on Windows.

But I just don't understand why every browser jumps through every hoop possible to fully support even the stupidest javascript everything. On a PC you need a bunch of special addons to limit the damage, and generally your options are "block all scripts" or "allow all scripts", with no ability to say "allow scripts that don't X, Y, or Z". Browsers should absolutely allow more restrictive profiles here, and probably the default should not fully implement javascript, which maintains its record of pile of shit virus vector for twenty years straight.

Re:Wait, *javascript* is vulnerable?

with no ability to say "allow scripts that don't X, Y, or Z". Browsers should absolutely allow more restrictive profiles here

I don't know exactly what you want here. A checkbox for "don't allow scripts that bypass the sandbox"? "Don't allow exploits"? How would that work?

Re:Wait, *javascript* is vulnerable?

How can you expect all the advertisements and spyware that the typical webpage comes loaded with (courtesy of the companies that are financing browser development) to load and run *instantaneously* if you also want it in a sandbox which employs fine-grained, user-accessible permissions and simple, secure, verifiable code?

Re:Wait, *javascript* is vulnerable?

[cfalcon]

You could block the ability to access elements of certain types (if type is application/pdf, don't allow it to be appended to body or etc.).

You could block the ability of it to retrieve or view anything but a default set of variables (font list fingerprinting, end it pls- you could fix this in CSS with a setting too, while you are at it)

You could block the ability of it to EVER trigger a goddamned thing on the right mouse button. You could replace that with some alternate control, such that right mouse button continues to work.

You could disable the ability of it to load another page.

You could disable the ability of it to ever make a dialog box.

You could allow a hard limit on how much RAM any given script or its descendants can allocate.

You could have an option for the browser to zero any RAM that the javascript has allocated on deallocation, and before garbage collection.

Basically, type something into google like "javascript stop user from".

Now, everything that comes back from that, EVERY SINGLE THING should be able to be blocked in the browser.

Javascript is vile garbage.

Re:Wait, *javascript* is vulnerable?

Me too! It's like Google haven't learned a single thing from Microsoft. Running javascript in a browser is beyond stupid. This is how Outlook viruses turned Windows machines into the number one vector for malware. It used to be that email clients would just show emails, then Microsoft made such a simple task into an opportunity to run arbitrary code from arbitrary sources. And now Google with their vision of HTML5 have turned phones into opportunities to run arbitrary code from arbitrary sources, by turning simple web pages into the number one vector for malware.

Well done, Google. With your focus on advertising everything and everyone, you've turned a safe simple idea of the original web into an ugly cesspool of random code injections. And it only took almost 20 years.

LD_LIBRARY_PATH

[emil]

Can someone please explain to me why LD_LIBRARY_PATH does not point first to a /data/lib directory, where an app-store had a chance of patching a flaw in /system?

I am updating vlcplayer at least once every three months - why did Google decide to carve the stagefright libraries into /system stone with no hope of updating?

At least this bug does not impact me - I rooted and torched stock because of the SOP bug, and Chrome just on principle.

Re:Well at least it won't require an OS update to

[Sark666]

yeah not as bad... you mean on the flipside when it's an OS issue and you're fucked?

Re:Well at least it won't require an OS update to

[jrumney]

Also the stagefright buffer overflow, which the GP mentioned after that was in C code, not Java.

O Node

If this is using V8, I wonder if this would impact NodeJS in any way, especially if someone is being a dummy and running it as root.

Your Honor!

[ThatsNotPudding]

...javascript, which maintains its record of pile of shit virus vector for twenty years straight.

"Objection! The record clearly shows that my clients trash programs holds this title outright!" -- Adobe Space Chicken lawyer.

Re:Well at least it won't require an OS update to

[Fnord666]

Java is to Javascript as car is to carpet.