CVE-2014-6041 in Android Browserinfo

Summary

by MITRE

The Android WebView in Android before 4.4 allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a \u0000 character, as demonstrated by an onclick="window.open('\u0000javascript: sequence to the Android Browser application 4.2.1 or a third-party web browser.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 02/15/2022

The vulnerability identified as CVE-2014-6041 represents a critical security flaw in the Android WebView component affecting versions prior to Android 4.4. This issue stems from improper handling of null characters within attribute values, specifically within the onclick event handler of HTML elements. The vulnerability operates by exploiting the way the WebView processes special Unicode characters, particularly the null character \u0000, which can be embedded within JavaScript execution sequences to circumvent security restrictions.

The technical exploitation occurs when a malicious web page constructs an HTML element with an onclick attribute containing a null character embedded within a javascript: URL sequence. This allows attackers to bypass the Same Origin Policy that normally prevents web pages from executing scripts across different domains or origins. The vulnerability specifically targets the Android Browser application version 4.2.1 and third-party web browsers that rely on the Android WebView component, making it particularly dangerous as it affects a wide range of mobile applications and web browsing contexts.

This security bypass enables remote attackers to execute arbitrary JavaScript code within the context of the WebView, potentially allowing for data theft, session hijacking, or further exploitation of the device. The impact extends beyond simple cross-origin restrictions as it can lead to complete compromise of user data and device integrity. The vulnerability demonstrates a classic flaw in input validation and sanitization where special characters are not properly escaped or handled during parsing of HTML attributes, creating a pathway for malicious code execution.

The operational implications of this vulnerability are severe as it affects millions of Android devices running vulnerable versions of the operating system. Attackers can craft malicious web pages that, when visited by users, silently execute harmful scripts without user consent or awareness. This type of vulnerability falls under CWE-185, which addresses improper handling of regular expression special characters, and aligns with ATT&CK technique T1059.007 for JavaScript execution. The vulnerability also relates to CWE-79, which covers cross-site scripting issues, and represents a specific case where the security boundary is violated through character encoding manipulation rather than traditional XSS vectors.

Organizations and users must implement immediate mitigations including updating to Android 4.4 or later versions where this vulnerability has been patched. System administrators should also consider implementing network-level protections such as web application firewalls that can detect and block suspicious null character sequences in HTTP requests. Additionally, developers should ensure proper input validation and sanitization of all HTML attributes, particularly those containing JavaScript execution contexts, to prevent similar vulnerabilities from being introduced in custom web applications or mobile applications that utilize WebView components.

Reservation

09/01/2014

Disclosure

09/02/2014

Moderation

accepted

Entry

VDB-67451

CPE

ready

Exploit

Download

EPSS

0.18278

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!