CVE-2012-6636
published 2014-03-03CVE-2012-6636: The Android API before 17 does not properly restrict the WebView.addJavascriptInterface method, which allows remote attackers to execute arbitrary methods of…
PriorityP262medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
41.36%
98.5th percentile
The Android API before 17 does not properly restrict the WebView.addJavascriptInterface method, which allows remote attackers to execute arbitrary methods of Java objects by using the Java Reflection API within crafted JavaScript code that is loaded into the WebView component in an application targeted to API level 16 or earlier, a related issue to CVE-2013-4710.
Affected
34 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | adobe_reader | <= 11.1.3 | — |
| adobe | adobe_reader | — | — |
| boatmob | boat_browser | — | — |
| boatmob | boat_browser | — | — |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android_api | <= 16.0 | — | |
| android_api | — | — | |
| android_api | — | — | |
| android_api | — | — | |
| android_api | — | — | |
| android_api | — | — | |
| android_api | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/android/browser/webview_addjavascriptinterface.rb↗
urlhttps://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py↗
- →Detect exploitation attempts by monitoring HTTP responses serving JavaScript that references Java Reflection API calls (e.g., getClass, forName, getMethod, invoke) delivered to Android WebView clients with API level 16 or earlier. ↗
- →Flag HTTP requests from Android user-agents where the response URI path ends in a random 5-character alpha string followed by '.js' with an 'arch' query parameter (e.g., /[a-z]{5}.js?arch=), as this matches the Metasploit module's static JS delivery mechanism for arch-specific payloads. ↗
- →Monitor for JavaScript in web content that reads navigator.platform and dynamically injects a <script> tag with an 'arch' query parameter — a fingerprinting step used by the exploit to select the correct architecture-specific payload. ↗
- →Alert on MITM scenarios where HTTP traffic to/from Android WebViews is intercepted and HTML/JS content is injected, particularly targeting ad-integration WebViews or persistent XSS vectors in apps targeting API level 16 or earlier. ↗
- →The Google APIs 4.1.2 Android Browser app is a known vulnerable target; flag exploitation attempts specifically targeting this browser version. ↗
- ·The vulnerability only affects Android API level 16 (Android < 4.2) and earlier; devices running API level 17 or higher are not affected by this specific issue. ↗
- ·The exploit requires JavaScript to be enabled in the targeted WebView; detection and blocking of JavaScript execution in untrusted WebViews mitigates the attack surface. ↗
- ·The Metasploit module supports multiple architectures (ARCH_DALVIK, ARCH_X86, ARCH_ARMLE, ARCH_MIPSLE); detection rules should account for arch-specific payload variants, not just ARM. ↗
- ·A related CVE (CVE-2013-4710) covers the native browser's searchBoxJavaBridge_ addJavascriptInterface call; detections for CVE-2012-6636 may need to be extended to cover that variant as well. ↗
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vw4x-mjrq-7hfm: The WebView class and use of the WebView
ghsa_unreviewed·2022-05-17·CVSS 6.8
CVE-2014-4968 [MEDIUM] GHSA-vw4x-mjrq-7hfm: The WebView class and use of the WebView
The WebView class and use of the WebView.addJavascriptInterface method in the Boat Browser application 8.0 and 8.0.1 for Android allow remote attackers to execute arbitrary code via a crafted web site, a related issue to CVE-2012-6636.
GHSA
GHSA-99c2-83v2-365x: Android 3
ghsa_unreviewed·2022-05-17·CVSS 6.8
CVE-2013-4710 [MEDIUM] CWE-20 GHSA-99c2-83v2-365x: Android 3
Android 3.0 through 4.1.x on Disney Mobile, eAccess, KDDI, NTT DOCOMO, SoftBank, and other devices does not properly implement the WebView class, which allows remote attackers to execute arbitrary methods of Java objects or cause a denial of service (reboot) via a crafted web page, as demonstrated by use of the WebView.addJavascriptInterface method, a related issue to CVE-2012-6636.
GHSA
GHSA-qppx-xpxc-rvg5: The Adobe Reader Mobile application before 11
ghsa_unreviewed·2022-05-14·CVSS 6.8
CVE-2014-0514 [MEDIUM] GHSA-qppx-xpxc-rvg5: The Adobe Reader Mobile application before 11
The Adobe Reader Mobile application before 11.2 for Android does not properly restrict use of JavaScript, which allows remote attackers to execute arbitrary code via a crafted PDF document, a related issue to CVE-2012-6636.
GHSA
GHSA-9qcw-937q-52w8: The Android API before 17 does not properly restrict the WebView
ghsa_unreviewed·2022-05-13·CVSS 9.3
CVE-2012-6636 [CRITICAL] GHSA-9qcw-937q-52w8: The Android API before 17 does not properly restrict the WebView
The Android API before 17 does not properly restrict the WebView.addJavascriptInterface method, which allows remote attackers to execute arbitrary methods of Java objects by using the Java Reflection API within crafted JavaScript code that is loaded into the WebView component in an application targeted to API level 16 or earlier, a related issue to CVE-2013-4710.
OSV
CVE-2012-6636: The Android API before 17 does not properly restrict the WebView
osv·2014-03-03·CVSS 6.8
CVE-2012-6636 [MEDIUM] CVE-2012-6636: The Android API before 17 does not properly restrict the WebView
The Android API before 17 does not properly restrict the WebView.addJavascriptInterface method, which allows remote attackers to execute arbitrary methods of Java objects by using the Java Reflection API within crafted JavaScript code that is loaded into the WebView component in an application targeted to API level 16 or earlier, a related issue to CVE-2013-4710.
No detection rules found.
Exploit-DB
Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)
exploitdb·2012-12-21
CVE-2012-6636 Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)
Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/exploit/android'
class MetasploitModule OperatingSystems::Match::ANDROID,
:arch => ARCH_ARMLE,
:javascript => true,
:rank => ExcellentRanking,
:vuln_test => VULN_CHECK_JS
)
def initialize(info = {})
super(update_info(info,
'Name' => 'Android Browser and WebView addJavascriptInterface Code Execution',
'Description' => %q{
This module exploits a privilege escalation issue in Android MSF_LICENSE,
'Author' => [
'jduck', # original msf module
'joev' # static server
],
'References' => [
['URL', 'http://blog.trustlook.com/20
Metasploit
Android Browser and WebView addJavascriptInterface Code Execution
metasploit
Android Browser and WebView addJavascriptInterface Code Execution
Android Browser and WebView addJavascriptInterface Code Execution
This module exploits a privilege escalation issue in Android < 4.2's WebView component that arises when untrusted JavaScript code is executed by a WebView that has one or more Interfaces added to it. The untrusted JavaScript code can call into the Java Reflection APIs exposed by the Interface and execute arbitrary commands. Some distributions of the Android Browser app have an addJavascriptInterface call tacked on, and thus are vulnerable to RCE. The Browser app in the Google APIs 4.1.2 release of Android is known to be vulnerable. A secondary attack vector involves the WebViews embedded inside a large number of Android applications. Ad integrations are perhaps the worst offender here. If you can MITM the WebView's HTTP con
http://50.56.33.56/blog/?p=314http://developer.android.com/reference/android/os/Build.VERSION_CODES.html#JELLY_BEAN_MR1http://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface%28java.lang.Object%2C%20java.lang.String%29http://jvn.jp/en/jp/JVN62161191/index.htmlhttp://openwall.com/lists/oss-security/2014/02/07/9http://www.cs.utexas.edu/~shmat/shmat_ndss14nofrak.pdfhttp://www.internetsociety.org/ndss2014/programme#session3https://support.lenovo.com/us/en/product_security/len_6421http://50.56.33.56/blog/?p=314http://developer.android.com/reference/android/os/Build.VERSION_CODES.html#JELLY_BEAN_MR1http://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface%28java.lang.Object%2C%20java.lang.String%29http://jvn.jp/en/jp/JVN62161191/index.htmlhttp://openwall.com/lists/oss-security/2014/02/07/9http://www.cs.utexas.edu/~shmat/shmat_ndss14nofrak.pdfhttp://www.internetsociety.org/ndss2014/programme#session3https://support.lenovo.com/us/en/product_security/len_6421
2014-03-03
Published