Stock Google Email App Version 4.2.2 for Android vulnerable to remote code execution : CVE-2015-1574The vulnerabilityProof of Concept (PoC)Fix
In plain English this means that a specially crafted email sent to the App can crash the email App. The vulnerability has been assigned CVE-2015-1574 and is deemed critical. “No interaction from the user is needed to produce the crash just receive the malicious email,” the researchers stated on HMarco blog.
The vulnerability
The bug appears because an incorrect handling of the Content-Disposition header by Google Email App. If an potential hacker sends a specially crafted email to the victim, the incorrect Content-Disposition header can cause the App to crash. The malformed header which causes the crash is : Whereas the correct Content-Disposition header should be : So whenever the victim receives the malicious email, the application will crash while trying to download the email. The effect can be looping crash of the App, as every time the email App will attempt to open the email sent by hacker before the user can do anything. In effect, the App will be unusable till the offending email is removed by the user using other means like desktop email/Google Invite. The removal of the malicious email will however not prevent the hackers from sending similar mails and crashing the App again.
Proof of Concept (PoC)
To successfully exploit this vulnerability the attacker only needs to send an email to the victim with an empty Content-Disposition followed by a semicolon. The researchers have written a simple python script which sends the crafted email to a target email user. The researchers stated that they tested the vulnerability on the App on Samsung Galaxy S4 Mini but have warned that this particular version is used by many smartphone users as default email App. $ ./crash_Android_Google_email_4.2.2.0200.py -s [email protected] -r [email protected] [+] Sending crafted message to: [email protected] [+] Malicious email successfully sent.
Fix
The researchers stated that the simplest fix is to update the App version to 4.2.2.0400 or higher. However they added that updating is not possible in all cases. Users using rooted Android smartphones can however bypass the official update channel and update their App. Another fix is to download the APK and install it on your smartphone. You can access the PoC written by the researchers here (Python).
