Title:

AirDroid Web Application Authentication Flaw

Release Date:

April 15, 2015

Patch Date:

March 2015

Reported Date:

February 27, 2015 – Submitted to AirDroid

Vendor:

AirDroid/Sand Studio/TongBu Networks

Systems Affected:

None. Vulnerability patched as of March 2015.

Summary:

AirDroid Version 3.0.4 and earlier versions’ web applications use JSON with padding (JSONP) for performing cross-origin requests. Due to JSONP being an insecure method of sharing data across origins, it is possible to hijack all of the AirDroid application functionality. By doing this, other users’ Android devices can be hijacked.

Vendor Status:

AirDroid has been made aware of the issue and has pushed a patch to the web interface here.

Exploit Availability:

We created an exploit to demonstrate the severity of this particular vulnerability. It works as follows:

1. Construct a malicious page that sources the following JSONP endpoint:

2. Lure an authenticated AirDroid user to the malicious page created in 1. This will result in the sourcing of the JSONP endpoint above, using the victim user’s active AirDroid web session, and the response will contain the information needed to generate a valid 7bb session token. A sample response is given below:

3. Using the above information, a valid 7bb session token can be generated. The follow pseudocode shows the process for creating said token:

Researcher(s):

Matt Bryant of Bishop Fox

Vulnerability Details:

This authentication flaw allows remote control of other users’ Android phones.
SMS: send and receive individual or group messages.
Apps: Import and export .apk files.
Files: Manage files on Android and transferring files between Android and computer.
Photos: View and manage photos on Android and transferring photos between Android and computer.
Music & Videos: Play and manage music & videos on Android and transferring them between Android and computer.
Ringtones: Set music as ringtone and export any ringtone.
Contacts: View and edit all the contacts.
Screenshot: View the real-time screen of Android devices, take static screenshots. (root required)
Camera: See through the lens of both front and back camera, also supports flashlight.
URL: Push URL to Android and open automatically open it with Android browser.
Clipboard: Share clipboard content between Android and computer.
GPS: Track the mobile device’s location.