Dolphin Browser and mercury browser remote code execution vulnerability details-vulnerability warning-the black bar safety net

ID MYHACK58:62201566408
Type myhack58
Reporter 佚名
Modified 2015-08-31T00:00:00


0x00 description

Recent foreign security researchers rotlogix continuous exposure of the Android version of the Dolphin Browser(dolphin browser and mercury browser mercury browser security holes[1,2], although this two browser in the country is not popular, but wherein the remote attack techniques and a series of vulnerability the combination of the use of quite interesting, so for these two vulnerabilities were reproducible and learn, share with everyone progress together.

0x01 Dolphin Browser remote code execution vulnerability

The vulnerability can be seen as some time ago Samsung comes with Swift keyboard remote code vulnerability extends, differs in that through man in the middle attacks patch. so file in the so file in the JNI_OnLoad function to add malicious code when the SOS is loaded after the opportunity to achieve remote code execution. The test of Dolphin Browser version as V11. 4. 1 to 7.

The ## 1. The vulnerability principle

Dolphin Browser allows the user to select and apply themes to change the browser's appearance, when the user selects a new theme download, the theme file will be downloaded


The theme file is actually a zip file, rename it after to view the content as follows:


Since the Dolphin Browser did not unzip the file for verification, and the Android system zip library's default behavior is to allow a decompressed file to the directory where the outside, so through the middle attack, modify the HTTP request to return to the theme file zip the contents of the package, can be realized in the Dolphin Browser permissions of the directory to write the file.

Note that we test the version with the original is different, download the theme file link is https, but the SSL is also not implemented correctly, and therefore still can through the middle attack success.

[1] [2] [3] [4] [5] [6] [7] [8] [9] [1 0] next