Vulnerabilities > CVE-2017-3160 - Man in the Middle Security Bypass vulnerability in Apache Cordova For Android

047910
CVSS 5.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
NONE
network
apache

Summary

After the Android platform is added to Cordova the first time, or after a project is created using the build scripts, the scripts will fetch Gradle on the first build. However, since the default URI is not using https, it is vulnerable to a MiTM and the Gradle executable is not safe. The severity of this issue is high due to the fact that the build scripts immediately start a build after Gradle has been fetched. Developers who are concerned about this issue should install version 6.1.2 or higher of Cordova-Android. If developers are unable to install the latest version, this vulnerability can easily be mitigated by setting the CORDOVA_ANDROID_GRADLE_DISTRIBUTION_URL environment variable to https://services.gradle.org/distributions/gradle-2.14.1-all.zip

Seebug

bulletinFamilyexploit
description#### Product * Apache Cordova #### Vulnerable Version * 6.1.1 (and below) #### Technical Details When adding an Android project for the first time: ‘cordova platform add Android’ Cordova requires Gradle (build tool) to be installed in the local development environment. If the developer had not pre-installed Gradle, the gradle-wrapper component would send a request to download the required build-tool. The problem is that the download directory is sent over HTTP, thus creating a security breach. This breach is highly exploitable and severe since the downloaded file is immediately unzipped and executed by ‘gradle-wrapper’. The vulnerable function is under GradleBuilder.js: ``` GradleBuilder.prototype.prepEnv = function(opts) { var self = this; return check_reqs.check_gradle() [...] var distributionUrlRegex = /distributionUrl.*zip/; /*jshint -W069 */ var distributionUrl = process.env['CORDOVA_ANDROID_GRADLE_DISTRIBUTION_URL'] || 'https\\://services.gradle.org/distributions/gradle-2.14.1-all.zip'; [...] }; ``` An attacker with the ability to intercept non-encrypted traffic (MiTM), can hijack the Gradle’s download response, and provide his own file, which allows him to execute code within the developer’s computer. #### Timeline * 01-Mar-17: Added as ALEPH-2017013. * 27-Jan-17: Public disclosure.
idSSV:93101
last seen2017-11-19
modified2017-05-12
published2017-05-12
reporterRoot
titleCordova-Android MiTM Remote Code Execution(CVE-2017-3160)