*# Disclosure Date:* 08/03/2014
*# Author: *Keith Makan
*# Version:* 1.0
*# Tested on:* Android 3.2.1 (HTC Flyer), Android 4.2.2 (Emulator)
*# Tools :* Drozer, Bash

*Description*

1XTRA Browser suffers from a remote code execution vulnerability stemming
from insecure use of the addJavascriptInterface functionality.

The vulnerability allows attackers to execute code through targeted
browsing attacks to pages hosting malicious JavaScript or by loading up a
malicious file into the affected application (as demonstrated in the PoC)
from the local storage.

*Impact*

Attackers may be able to augment or modify the contents of the internal
storage of the affected app as well as execute arbitrary code within the
context of the application.This means unbridled abuse of any of the
permissions granted to the application.

Currently, an estimated 1000-5000 installs are affected.

*PoC*

   - http://i.imgur.com/GBC25w7.png (source code)
   - http://i.imgur.com/HS2Gjdh.png (exploitation - file write)


References:

   - http://developer.android.com/about/versions/android-4.2.html
<http://developer.android.com/about/versions/android-4.2.html>
   -
   https://labs.mwrinfosecurity.com/blog/2013/09/24/webview-addjavascriptinterface-remote-code-execution/

Timeline:

   1. Original Disclosure (08/03/2014)
   2. (no response from vendor) (08/03/2014 - 13/03/2014)
   3. Update Released (14/03/2014)
   4. Public Disclosure (17/03/2014)


-- 
<Keith k3170makan <http://about.me/k3170makan> Makan/>