CrowdStrike identify WebKit Remote Code Execution

CrowdStrike a new company formed by former CTO of McAfee George Kurtz recently purchased the 20 plus WebKit vulnerabilities ($1,400) that led to the Remote Code Execution (RCE) exploit being exposed at RSA earlier this month.

George and his new team spent $14k weaponizing it into an actual Android exploit, with the aim of establishing root access to an Android device running version 2.2 (Froyo) and 2.3 and the setting up of a command control for the Chinese Remote Access Tool (RAT). This allows a hacker to have full remote control of your Android 2.2/2.3 device.

The RAT tool would allow a hacker to listen in on smartphone conversations and monitor the users location (using cell site and GPS technology).They would then set about deploying the malicious URL ,which would then be used to crack into an iOS, BlackBerry OS (this includes the PlayBook) and Android devices. This exploit can only be found in the browser, which in most instances can only access a media card, so emails and voice and SMS data on iOS and Android are safe from this right now.

RIM has advised that if you use a BlackBerry PlayBook 2.0 and you clicked the malicious link in an email or the preview pain of the BlackBerry PlayBook 2.0, then you would be directed to the malicious website that allows this exploitation of WebKit. An attacker would only have the same permissions as the application used to browse the website. However, it’s worth pointing out that this would not allow an attacker root access to the PlayBook 2.0.

This WebKit vulnerability is Proof of Concept (PoC) right now and it’s also worth mentioning that there isn’t a known exploit in the wild right now. What this does show me, is that you can purchased some vulnerabilities and develop the exploit pack (weapon) at very small cost. Both Google and Apple have yet to comment on this WebKit vulnerability, so right now if you are running Android 2.2 and 2.3 you should update your firmware.

Safe surfing folks!

This entry was posted in android, apple, blackberry, google, malware, mobile and tagged , , , , , . Bookmark the permalink.

2 Responses to CrowdStrike identify WebKit Remote Code Execution

  1. Georg Wicherski says:

    Using a slightly modified publicly available local root exploit (“jailbreak”), it was also possible to access SMS inbox, phone call voice data, GPS location etc. This was also demonstrated at RSA.

Leave a Reply

Your email address will not be published. Required fields are marked *