Cordova-Android MiTM Remote Code Execution(CVE-2017-3160)

#### Product * Apache Cordova #### Vulnerable Version * 6.1.1 (and below) #### Technical Details When adding an Android project for the first time: ‘cordova platform add Android’ Cordova requires Gradle (build tool) to be installed in the local development environment. If the developer had not pre-installed Gradle, the gradle-wrapper component would send a request to download the required build-tool. The problem is that the download directory is sent over HTTP, thus creating a security breach. This breach is highly exploitable and severe since the downloaded file is immediately unzipped and executed by ‘gradle-wrapper’. The vulnerable function is under GradleBuilder.js: ``` GradleBuilder.prototype.prepEnv = function(opts) { var self = this; return check_reqs.check_gradle() [...] var distributionUrlRegex = /distributionUrl.*zip/; /*jshint -W069 */ var distributionUrl = process.env['CORDOVA_ANDROID_GRADLE_DISTRIBUTION_URL'] || 'https\\://services.gradle.org/distributions/gradle-2.14.1-all.zip'; [...] }; ``` An attacker with the ability to intercept non-encrypted traffic (MiTM), can hijack the Gradle’s download response, and provide his own file, which allows him to execute code within the developer’s computer. #### Timeline * 01-Mar-17: Added as ALEPH-2017013. * 27-Jan-17: Public disclosure.