Apache Cordova
6.1.1 (and below)
When adding an Android project for the first time: ‘cordova platform add Android’ Cordova requires Gradle (build tool) to be installed in the local development environment. If the developer had not pre-installed Gradle, the gradle-wrapper component would send a request to download the required build-tool. The problem is that the download directory is sent over HTTP, thus creating a security breach. This breach is highly exploitable and severe since the downloaded file is immediately unzipped and executed by ‘gradle-wrapper’.
The vulnerable function is under GradleBuilder.js:
GradleBuilder.prototype.prepEnv = function(opts) {
var self = this;
return check_reqs.check_gradle()
[...]
var distributionUrlRegex = /distributionUrl.*zip/;
/*jshint -W069 */
var distributionUrl = process.env['CORDOVA_ANDROID_GRADLE_DISTRIBUTION_URL'] || 'https\\://services.gradle.org/distributions/gradle-2.14.1-all.zip';
[...]
};
An attacker with the ability to intercept non-encrypted traffic (MiTM), can hijack the Gradle’s download response, and provide his own file, which allows him to execute code within the developer’s computer.