tl;dr This exploit is an issue present in Android browser < 4.4 and several other android browsers which allows an attacker to read sqlite cookie database file and hence exposing all cookies. Along with it we also talk about a Cross Scheme Data exposure attack in Android < 4.4.

Introduction

During my research on ASOP (Stock Browser) I found out that is is possible to open links to local files using file:// protocol by from a webpage by selecting "Open Link in New tab" from the context menu". This itself is does not represent a vulnerability unless there is a way to read local files and use be able to retrieve the files remotely. However, what caught my attention here is this by default is not permitted browsers such as Chrome, Firefox, Opera etc.

The following screenshot demonstrates the error which is obtained when trying to access a local file from context menu.

Attack Plan 

In order to exploit this issue, the following was the attack plan we came up with:

i) User visits Attacker.com.
ii) Attacker.com forces a download (exploit.html) on the victim's browser using content disposition header. The purpose of the exploit.html would be read local files and send it back to the attacker.
iii) The victim opens up a link by selecting "Open Link in New tab" which opens the local file exploit.html which was forced as download.
iv) Our file exploit.html would then be reading other local files and sending it back to the attacker.

In order to write an effective exploit for the attack, I coped up with Haru Sugiyama a Security researcher from Japan. He came up with the following POC:

http://133.242.134.241/firefox/test.html

Upon accessing the above page from android browser, it would first force the following file "exploit.html". Both FireFox and Android browser save files to '/sdcard/Download/exploit.html' in case sdcard is available. The exploit.html file would then try reading the other local files. However, this was not easy as it looked at first sight. Let's first talk about how the results from Android Gingerbread were different from Jellbeans.

Android Gingerbread:Observations

In case of Android Gingerbread Emulator build 2.3 we are easily able to read other local files, this represents a vulnerability as in the browser, as it effectively allows a website to perform cross domains data theft and hence violating the same-origin-policy. The impact however is not large as roughly 11.4% of the users now use Android Gingerbread and they are dying slowly just like windows xp.

Android JellyBeans: Observations

In case jellybeans we found out that a local file was not able to read a local files,  We then tried our old null byte trick and it worked like a charm.

The following is the POC:

<button onclick="exploit()">Read iframe</button>
<button onclick="window.open('\u0000javascript:alert(document.body.innerHTML)','test')">Try \u0000</button>
<iframe src="file:/default.prop" name="test" style='width:100%;height:200'></iframe>
<script>
function exploit() {
  var iframe = document.getElementsByTagName('iframe')[0];
  try{
    alert("Try to read local file.");
    alert("contentWindow:"+iframe.contentWindow);
    alert("document:"+iframe.contentWindow.document);
    alert("body:"+iframe.contentWindow.document.body);
    alert("innerHTML:"+iframe.contentWindow.document.body.innerHTML);
  } catch(e) {
    alert(e);
  }
}
</script>

However, due to the discovery of CVE-2014-6041 the nullbytes issue was already patched and the above exploit did not work on patched devices.

Intent URL Scheme Attack

Step 2 - Stealing The Cookies