Paypal Remote Code Execution

Product Paypal Android Application
Severity High
CVE Reference CVE-2013-7201, CVE-2013-7202
Type Paypal Remote Code Execution

A vulnerability was discovered on the Paypal Application for Android, the vulnerability allows an attacker to gain code execution via a man in the middle attack.

Software
Paypal Android Application
Affected Versions
Paypal<=5.3 & Android <4.2
CVE Reference
SSL Bypass: CVE-2013-7201
Remote Code Execution: CVE-2013-7202
Authors
Henry Hoggard, MWR Labs (http://labs.mwrinfosecurity.com)
Severity
High Risk
Vendor
Paypal
Vendor Response
Will Not Fix

Description:

PayPal for Android allows users to send and receive money on Android, it contains similar features of the web based PayPal application. The PayPal Android app is vulnerable to remote code execution via man in the middle attacks.

Impact:

Remote code and command execution in the context of the application. The API secrets needed to interact with PayPal’s API are stored in cleartext in the shared preferences file. These could be stolen using this exploit and then used to call methods from the PayPal API.

Cause:

PayPal uses a webview that ignores SSL certificates, the same webview has a Javascript Interface implemented. The combination of the two bugs allows attackers to man in the middle connections to execute code on the device.

Interim Workaround:

Do not use the Paypal android app on public Wi-Fi networks. Update your device to Android 4.2 or later if possible.

Solution:

Changing from proceed() to cancel() will stop the webview accepting invalid SSL certificates. This will prevent attackers MITM the webview and injecting malicious code.

Public void onReceivedSslError(WebView paramWebView, SslErrorHandler paramSslErrorHandler,
SslError paramSslError)
{
paramSslErrorHandler.cancel();
}
}

Technical Details:

SSL Bypass:

The class WebHybridClient.java implements a webview. If it hits an SSL error, it will continue with the request, rather than displaying an error or killing the connection. This means an attacker can MITM HTTPS requests through this webview.

public void onReceivedSslError(WebView paramWebView, SslErrorHandler paramSslErrorHandler,
SslError paramSslError)
{
paramSslErrorHandler.proceed();
}
}

Vulnerable Classes

  • com/paypal/android/choreographer/flows/help/WebHybridClient.java
  • com/paypal/android/choreographer/flows/shop/fragments/EnhancedCheckinHybridFragment.java
  • com/paypal/android/choreographer/web/WebHybridClient.java

Javascript Code Execution

The WebHybridClient class contains a method that uses a Javascript Interface. This allows an attacker to execute code on the device in the context of the PayPal application in android 4.1 and below.

public View onCreateView(LayoutInflater paramLayoutInflater, ViewGroup paramViewGroup, 
Bundle paramBundle) 
{ 
... 
this.web.getSettings().setJavaScriptEnabled(true); 
... 
this.web.addJavascriptInterface(this.mListener, "ppAndroid"); 
... 
return localView; 
}

It was recently discovered that applications do not even need to have a Javascript Interface in their code to be vulnerable to this attack. This is because a Javascript Interface is implemented core webview code in Android versions before 4.2. Meaning that every single application that loads a webview over cleartext is vulnerable to this attack.

Detailed Timeline

Date Summary
23/12/2013 Sent initials details of bug
23/12/2013 Paypal acknowledges bugs, pointing out that SSL issues are out of scope in their bug bounty
29/12/2013 Paypal request video PoC
29/12/2013 PoC video provided
25/02/2014 Paypal claim no risk to Paypal brand