Paypal Remote Code Execution
CVE-2013-7201, CVE-2013-7202
A vulnerability was discovered on the Paypal Application for Android, the vulnerability allows an attacker to gain code execution via a man in the middle attack.
Description
PayPal for Android allows users to send and receive money on Android, it contains similar features of the web based PayPal application. The PayPal Android app is vulnerable to remote code execution via man in the middle attacks.
Impact
Remote code and command execution in the context of the application. The API secrets needed to interact with PayPal’s API are stored in cleartext in the shared preferences file. These could be stolen using this exploit and then used to call methods from the PayPal API.
Cause
PayPal uses a webview that ignores SSL certificates, the same webview has a Javascript Interface implemented. The combination of the two bugs allows attackers to man in the middle connections to execute code on the device.
Interim Workaround
Do not use the Paypal android app on public Wi-Fi networks. Update your device to Android 4.2 or later if possible.
Solution
Changing from proceed() to cancel() will stop the webview accepting invalid SSL certificates. This will prevent attackers MITM the webview and injecting malicious code.
Public void onReceivedSslError(WebView paramWebView, SslErrorHandler paramSslErrorHandler,
SslError paramSslError)
{
paramSslErrorHandler.cancel();
}
}
Technical Details
SSL Bypass
The class WebHybridClient.java implements a webview. If it hits an SSL error, it will continue with the request, rather than displaying an error or killing the connection. This means an attacker can MITM HTTPS requests through this webview.
public void onReceivedSslError(WebView paramWebView, SslErrorHandler paramSslErrorHandler,
SslError paramSslError)
{
paramSslErrorHandler.proceed();
}
}
Vulnerable Classes
- com/paypal/android/choreographer/flows/help/WebHybridClient.java
- com/paypal/android/choreographer/flows/shop/fragments/EnhancedCheckinHybridFragment.java
- com/paypal/android/choreographer/web/WebHybridClient.java
Javascript Code Execution
The WebHybridClient class contains a method that uses a Javascript Interface. This allows an attacker to execute code on the device in the context of the PayPal application in android 4.1 and below.
public View onCreateView(LayoutInflater paramLayoutInflater, ViewGroup paramViewGroup,
Bundle paramBundle)
{
...
this.web.getSettings().setJavaScriptEnabled(true);
...
this.web.addJavascriptInterface(this.mListener, "ppAndroid");
...
return localView;
}
It was recently discovered that applications do not even need to have a Javascript Interface in their code to be vulnerable to this attack. This is because a Javascript Interface is implemented core webview code in Android versions before 4.2. Meaning that every single application that loads a webview over cleartext is vulnerable to this attack.