Home / vulnerabilities ExSoul Browser 3.2.2 Remote Code Execution
Posted on 18 March 2014
Source : packetstormsecurity.org Link
*# Disclosure Date:* 08/03/2014
*# Author: *Keith Makan
*# Version:* 3.2.2
*# Tested on:*Android 4.2.2 (Emulator)
*# Tools :* Drozer, Bash
*Description*ExSoul Browser version 3.2.2 suffers from a arbitrary remote
code execution vulnerability stemming from the insecure use of the
addJavascriptInterface
functionality in Androids WebView's.
*Impact*
Attackers are capable of executing arbitrary code within the context of the
affected application through forced browsing attacks to a domain hosting
malicious JavaScript or by loading up an HTML file containing malicious
JavaScript (as demonstrated in the PoC).
Currently, an estimated 100,000 - 500,000 installs are affected.
PoC
- http://i.imgur.com/I9Buh9a.png
Timeline:
1. Original Disclosure (09/03/2014)
2. (No contact from vendor) (09/03/2014 - 13/03/2014)
3. Update released (14/03/2014)
4. Public Disclosure (17/03/2014)
--
<Keith k3170makan <http://about.me/k3170makan> Makan/>
