CVE-2014-6041
published 2014-09-02CVE-2014-6041: The Android WebView in Android before 4.4 allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a \u0000 character, as…
PriorityP340medium5.8CVSS 2.0
AVNACMAuNCPIPAN
EXPLOIT
EPSS
18.28%
96.9th percentile
The Android WebView in Android before 4.4 allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a \u0000 character, as demonstrated by an onclick="window.open('\u0000javascript: sequence to the Android Browser application 4.2.1 or a third-party web browser.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| android_browser | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/store/apps/details?id=
commandonclick="window.open('\u0000javascript:
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android CVE-2014-6041"; flow:established,to_client; file.data; content:"|5c|u0020javascript|3a|"; nocase; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/; classtype:attempted-user; sid:2020398; rev:6; metadata:created_at 2015_02_12, cve CVE_2014_6041, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_14;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android CVE-2014-6041"; flow:established,to_client; file.data; content:"|5c|u001"; fast_pattern; pcre:"/^[a-f0-9]/Ri"; content:"javascript|3a|"; nocase; within:11; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/; classtype:attempted-user; sid:2020397; rev:5; metadata:created_at 2015_02_12, cve CVE_2014_6041, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_14;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Android RCE via XSS and Play Store XFO"; flow:established,to_client; file.data; content:"|5c|u00"; byte_test:2,<,0x21,0,relative,string,hex; content:"javascript|3a|"; nocase; within:11; distance:2; content:"/store/apps/details?id="; nocase; fast_pattern; reference:url,1337day.com/exploit/22581; reference:cve,2014-6041; reference:url,github.com/rapid7/metasploit-framework/commit/7f2add2ce30f33e7787310d7abcb1781e8ea8f43; classtype:attempted-user; sid:2020393; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_02_11, cve CVE_2014_6041, deployment Perimeter, confidence Medium, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_03_14;)
bytes
|5c|u0020javascript|3a|
bytes
|5c|u001[a-f0-9] javascript|3a|
bytes
|5c|u00 (byte < 0x21) javascript|3a|
- →The exploit payload is delivered HTTP server-to-client (response). Detection should focus on inbound HTTP responses containing a backslash-u null/low Unicode escape immediately followed by 'javascript:' — the null character (\u0000) or other low Unicode code points (\u001x, \u002x) are used to bypass the Same Origin Policy check. ↗
- →The combined RCE attack chain (CVE-2014-6041 + Google Play XFO bypass) will contain both the Unicode-escaped javascript: payload AND a Google Play Store URL path '/store/apps/details?id=' in the same HTTP response. Correlating both patterns (sid:2020393) increases fidelity.
- →Target URLs that enforce X-Frame-Options cannot be exploited by this UXSS. Monitoring for absence of X-Frame-Options on sensitive pages (e.g., Google Play error pages) is a relevant defensive signal. ↗
- →The exploit requires the victim to be authenticated to Google in the vulnerable browser. Successful exploitation results in silent remote APK installation via Google Play's remote install feature — monitor for unexpected Play Store install activity on Android < 4.4 devices. ↗
- →The UXSS can be used to scrape cookie data and page contents from a vulnerable browser window — look for exfiltration of document.cookie or page content in outbound HTTP requests following exploitation. ↗
- ·Snort rules sid:2020397 and sid:2020398 are rated 'confidence Medium' — they may produce false positives on legitimate pages that happen to contain Unicode escape sequences near 'javascript:' strings. Tune with additional context before deploying in block mode.
- ·The RCE rule (sid:2020393) uses a byte_test against the two hex digits following '\u00' to ensure the code point is below 0x21 (a control/whitespace character). Ensure your IDS/IPS engine supports the byte_test keyword with string/hex modifiers correctly, or the rule will not fire as intended.
- ·All three Snort rules require 'file.data' sticky buffer, meaning they apply to HTTP response body content. Confirm your sensor is configured to inspect HTTP response bodies (not just headers) for these rules to be effective.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET MOBILE_MALWARE Possible Android CVE-2014-6041
suricata·2015-02-12·CVSS 5.8
CVE-2014-6041 [MEDIUM] ET MOBILE_MALWARE Possible Android CVE-2014-6041
ET MOBILE_MALWARE Possible Android CVE-2014-6041
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android CVE-2014-6041"; flow:established,to_client; file.data; content:"|5c|u0020javascript|3a|"; nocase; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/; classtype:attempted-user; sid:2020398; rev:6; metadata:created_at 2015_02_12, cve CVE_2014_6041, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_14;)
Suricata
ET MOBILE_MALWARE Possible Android CVE-2014-6041
suricata·2015-02-12·CVSS 5.8
CVE-2014-6041 [MEDIUM] ET MOBILE_MALWARE Possible Android CVE-2014-6041
ET MOBILE_MALWARE Possible Android CVE-2014-6041
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android CVE-2014-6041"; flow:established,to_client; file.data; content:"|5c|u001"; fast_pattern; pcre:"/^[a-f0-9]/Ri"; content:"javascript|3a|"; nocase; within:11; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/; classtype:attempted-user; sid:2020397; rev:5; metadata:created_at 2015_02_12, cve CVE_2014_6041, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_14;)
Suricata
ET WEB_CLIENT Possible Android RCE via XSS and Play Store XFO
suricata·2015-02-11
CVE-2014-6041 ET WEB_CLIENT Possible Android RCE via XSS and Play Store XFO
ET WEB_CLIENT Possible Android RCE via XSS and Play Store XFO
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Android RCE via XSS and Play Store XFO"; flow:established,to_client; file.data; content:"|5c|u00"; byte_test:2,<,0x21,0,relative,string,hex; content:"javascript|3a|"; nocase; within:11; distance:2; content:"/store/apps/details?id="; nocase; fast_pattern; reference:url,1337day.com/exploit/22581; reference:cve,2014-6041; reference:url,github.com/rapid7/metasploit-framework/commit/7f2add2ce30f33e7787310d7abcb1781e8ea8f43; classtype:attempted-user; sid:2020393; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_02_11, cve CVE_2014_6041, deployment Perimeter, confidence Med
Metasploit
Android Browser RCE Through Google Play Store XFO
metasploit·CVSS 5.8
CVE-2014-6041 [MEDIUM] Android Browser RCE Through Google Play Store XFO
Android Browser RCE Through Google Play Store XFO
This module combines two vulnerabilities to achieve remote code execution on affected Android devices. First, the module exploits CVE-2014-6041, a Universal Cross-Site Scripting (UXSS) vulnerability present in versions of Android's open source stock browser (the AOSP Browser) prior to 4.4. Second, the Google Play store's web interface fails to enforce a X-Frame-Options: DENY header (XFO) on some error pages, and therefore, can be targeted for script injection. As a result, this leads to remote code execution through Google Play's remote installation feature, as any application available on the Google Play store can be installed and launched on the user's device. This module requires that the user is logged into Google with a vulnerable bro
Metasploit
Android Open Source Platform (AOSP) Browser UXSS
metasploit
Android Open Source Platform (AOSP) Browser UXSS
Android Open Source Platform (AOSP) Browser UXSS
This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.
Metasploit
Android Open Source Platform (AOSP) Browser UXSS
metasploit
Android Open Source Platform (AOSP) Browser UXSS
Android Open Source Platform (AOSP) Browser UXSS
This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. If your target URLs use X-Frame-Options, you can enable the "BYPASS_XFO" option, which will cause a popup window to be used. This requires a click from the user and is much less stealthy, but is generally harmless-looking. By supplying a CUSTOM_JS parameter and ensuring CLOSE_POPUP is set to false, this module also allows running arbitrary javascript in the context of the targeted URL. Some sample UXS
No writeups or analysis indexed.
http://www.rafayhackingarticles.net/2014/08/android-browser-same-origin-policy.htmlhttp://www.securityfocus.com/bid/69548https://android.googlesource.com/platform/external/webkit/+/1368e05e8875f00e8d2529fe6050d08b55ea4d87https://android.googlesource.com/platform/external/webkit/+/7e4405a7a12750ee27325f065b9825c25b40598chttps://community.rapid7.com/community/metasploit/blog/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041https://exchange.xforce.ibmcloud.com/vulnerabilities/95693https://news.ycombinator.com/item?id=8321185https://news.ycombinator.com/item?id=8325807http://www.rafayhackingarticles.net/2014/08/android-browser-same-origin-policy.htmlhttp://www.securityfocus.com/bid/69548https://android.googlesource.com/platform/external/webkit/+/1368e05e8875f00e8d2529fe6050d08b55ea4d87https://android.googlesource.com/platform/external/webkit/+/7e4405a7a12750ee27325f065b9825c25b40598chttps://community.rapid7.com/community/metasploit/blog/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041https://exchange.xforce.ibmcloud.com/vulnerabilities/95693https://news.ycombinator.com/item?id=8321185https://news.ycombinator.com/item?id=8325807
2014-09-02
Published