Vulnerabilities > CVE-2017-3160 - Unspecified vulnerability in Apache Cordova
Summary
After the Android platform is added to Cordova the first time, or after a project is created using the build scripts, the scripts will fetch Gradle on the first build. However, since the default URI is not using https, it is vulnerable to a MiTM and the Gradle executable is not safe. The severity of this issue is high due to the fact that the build scripts immediately start a build after Gradle has been fetched. Developers who are concerned about this issue should install version 6.1.2 or higher of Cordova-Android. If developers are unable to install the latest version, this vulnerability can easily be mitigated by setting the CORDOVA_ANDROID_GRADLE_DISTRIBUTION_URL environment variable to https://services.gradle.org/distributions/gradle-2.14.1-all.zip
Vulnerable Configurations
Seebug
bulletinFamily | exploit |
description | #### Product * Apache Cordova #### Vulnerable Version * 6.1.1 (and below) #### Technical Details When adding an Android project for the first time: ‘cordova platform add Android’ Cordova requires Gradle (build tool) to be installed in the local development environment. If the developer had not pre-installed Gradle, the gradle-wrapper component would send a request to download the required build-tool. The problem is that the download directory is sent over HTTP, thus creating a security breach. This breach is highly exploitable and severe since the downloaded file is immediately unzipped and executed by ‘gradle-wrapper’. The vulnerable function is under GradleBuilder.js: ``` GradleBuilder.prototype.prepEnv = function(opts) { var self = this; return check_reqs.check_gradle() [...] var distributionUrlRegex = /distributionUrl.*zip/; /*jshint -W069 */ var distributionUrl = process.env['CORDOVA_ANDROID_GRADLE_DISTRIBUTION_URL'] || 'https\\://services.gradle.org/distributions/gradle-2.14.1-all.zip'; [...] }; ``` An attacker with the ability to intercept non-encrypted traffic (MiTM), can hijack the Gradle’s download response, and provide his own file, which allows him to execute code within the developer’s computer. #### Timeline * 01-Mar-17: Added as ALEPH-2017013. * 27-Jan-17: Public disclosure. |
id | SSV:93101 |
last seen | 2017-11-19 |
modified | 2017-05-12 |
published | 2017-05-12 |
reporter | Root |
title | Cordova-Android MiTM Remote Code Execution(CVE-2017-3160) |
References
- http://www.securityfocus.com/bid/95838
- http://www.securityfocus.com/bid/95838
- https://cordova.apache.org/announcements/2017/01/27/android-612.html
- https://cordova.apache.org/announcements/2017/01/27/android-612.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpuapr2020.html