ZipInputStream Armageddon

Overview For those who are not aware of the ZipInputStream Armageddon, it is happening right now ... and yes, it is just as bad as the movie. THIS: http://blog.quarkslab.com/remote-code-execution-as-system-user-on-android-5-samsung-devices-abusing-wificredservice-hotspot-20.html IS: https://www.nowsecure.com/blog/2015/06/16/remote-code-execution-as-system-user-on-samsung-phones/ A: http://rotlogix.com/2015/08/22/…

Mercury Browser for Android RCE Redux

Overview In my previous post about this browser, I have already covered how you can abuse the insecure parsing of the Intent URI scheme into invoking the private WiFi Manager feature. I also described how you can exploit a path traversal vulnerability in the custom web server used by the…

Same Sh*t Different Android Browser

Overview I have been researching Android web browsers quite a bit over the last year, and have made some interesting discoveries. One of those discoveries has been the complete lack of understanding on how to securely implement the use of the Intent URI scheme. Vulnerabilities that stem from insecurely parsing…

Exploiting the Mercury Browser for Android

Overview The Mercury Browser for Android suffers from an insecure Intent URI scheme implementation and a path traversal vulnerability within a custom web server used to support its WiFi Transfer feature. Chaining these vulnerabilities together can allow a remote attacker to perform arbitrary reading and writing of files within the…

Remote Code Execution in Dolphin Browser for Android

Update The PoC is located here: https://www.youtube.com/watch?v=hhpP1rYn_B0 A patch was released on August 27, 2015, update now! Overview An attacker with the ability to control the network traffic for users of the Dolphin Browser for Android, can modify the functionality of downloading and…