CVE-2017-17551
https://nvd.nist.gov/vuln/detail/CVE-2017-17551
Mobotap
Dolphin Browser for Android < 12.0.2
The Backup and Restore feature in Mobotap's Dolphin Browser for Android 12.0.2, suffers from an arbitrary file write vulnerability when attempting to restore browser settings from a malicious Dolphin Browser backup file. This arbitrary file write vulnerability, allows an attacker to overwrite a specific executable in the Dolphin Browser's data directory with a crafted malicious executable. Every time the Dolphin Browser is launched, it will attempt to run the malicious executable from disk, thus executing the attacker's code.
https://github.com/VerSprite/research/tree/master/exploits/VS-2017-001
Mobotap has not issued a reponse nor an update to remediate this vulnerability
- 2017-11-28 - Reached out on Twitter and asked to speak with someone who is responsible for product security
- 2017-12-04 - Emailed requesting to speak with someone who can address security issues in the Dolphin Browser for Android, no response
- 2017-12-07 - Emailed to verify initial email was received, no response
- 2017-12-10 - Emailed to inform the public release of an advisory, CC'ed security@dolphin.com and received a bounce on the email address
- 2017-12-11 - Public zero day release of advisory
Benjamin Watson of VerSprite Security (@rotlogix)