ExSoul Browser version 3.2.2 suffers from a remote code execution vulnerability.
fdf3bd0df3ea66b9e281fffe25c9e152f5c20c599e6d56fc5a375d9e32c8a578
*# Disclosure Date:* 08/03/2014
*# Author: *Keith Makan
*# Version:* 3.2.2
*# Tested on:*Android 4.2.2 (Emulator)
*# Tools :* Drozer, Bash
*Description*ExSoul Browser version 3.2.2 suffers from a arbitrary remote
code execution vulnerability stemming from the insecure use of the
addJavascriptInterface
functionality in Androids WebView's.
*Impact*
Attackers are capable of executing arbitrary code within the context of the
affected application through forced browsing attacks to a domain hosting
malicious JavaScript or by loading up an HTML file containing malicious
JavaScript (as demonstrated in the PoC).
Currently, an estimated 100,000 - 500,000 installs are affected.
PoC
- http://i.imgur.com/I9Buh9a.png
Timeline:
1. Original Disclosure (09/03/2014)
2. (No contact from vendor) (09/03/2014 - 13/03/2014)
3. Update released (14/03/2014)
4. Public Disclosure (17/03/2014)
--
<Keith k3170makan <http://about.me/k3170makan> Makan/>