Published on March 27th, 2014 📆 | 4201 Views ⚑0
Multiple Vulnerabilities in Firefox for Android
The Android operating system has hardened its security with application Sandboxing features to ensure that no application can access sensitive information held by another without proper privileges.
Android applications communicate with each other through Intents and these intents can be abused by hackers to provide a channel for a malicious application to inject malicious data into a target, potentially vulnerable application.
Security Researchers at IBM have discovered multiple vulnerabilities in Firefox for Android platform that allow a malicious application to leak the sensitive information related to the user's profile.
Where the random name for user's profile is used to prevent unwanted access to this directory in case of Firefox exploitation.
Researchers developed an exploit to brute-force the <RANDOM-STRING> Firefox profile directory name in a practical amount of time CVE-2014-1516) and successfully bypassed Android’s sandbox to obtain the sensitive data reside in that directory, including users' cookies, browsing history and cache information.
For successful exploitation, an attacker can create a specially crafted HTML file, that will force Firefox to load the files including inside the user profile directory using an Intent.
Downloaded files with the exploit code will be saved automatically to the SD card at location /mnt/sdcard/Download, that can be read by the attacker using any malicious Android app.
1.) Profile Directory Name Weak Randomization (CVE-2014-1516) - The Attacker who knows the seed of the Pseudo-Random Number Generator (PRNG) can easily predict its output and eventually the generated Firefox Profile name.
2.) Profile Directory Name Leaks to Android System Log (CVE-2014-1484) - Android operating system writes the randomly generated Firefox user's Profile Directory Name in the Android System Log (logcat) at various locations, that can be used to steal private information.
In Android version 4.0 and below, installed apps with READ_LOGS permission can easily read Android system logs to identify the name of the Firefox user profile folder.
3.) Automatic File Download to SD Card (CVE-2014-1515) - Firefox for Android will download any file automatically to the SD card, if not of any known extension. Malicious apps with READ_EXTERNAL_STORAGE permission can read files from the SD card to extract non-renderable data such as the cookies database.
4.) Crash Reporter File Manipulation (CVE-2014-1506) - In cases where the application crashes, Firefox sends the crash dumps located in /data/data/org.mozilla.firefox/files/mozilla/Crash Reports/pending on the device file system. Using the exploit, an attacker can manipulate the crash report file path to the Android Log file in order to steal it.