Vulnerabilities exist in two fairly popular alternative browsers for Android – Dolphin and Mercury — that depending on the browser could result in either remote code execution or arbitrary read/write access.
Mobile security researcher Benjamin Watson, who blogs under the guise of Rotlogix discovered the browser vulnerabilities and published descriptions, along with proof-of-concept code on both over the weekend.
Assuming the attacker and user are on the same shared network environment, an attacker can exploit the Dolphin vulnerability when the user downloads and applies a new theme for the browser.
Through some reverse engineering, Rotlogix discovered that Dolphin has the functionality to unzip and apply a theme’s file. But by proxying the download traffic, Rotlogix found he could inject a modified theme and in turn, achieve an arbitrary write into the browser’s data directory. Once in, he also found he could create a crafted library that could overwrite the one already on the browser and result in what he calls “full blown code execution.”
Rotlogix penned a blog entry on the vulnerability last Friday and claimed Dolphin developers were aware of the issue. When asked Monday when a fix for the vulnerability would arrive, a spokesperson with the company claimed it was working on a fix for the issue.
Dolphin, run by San Francisco-based Mobotap, Inc., boasts between 50,000,000 – 100,000,000 installs and after Chrome and Firefox is one of the more popular alternative browsers for Android. An update for the browser actually came Monday, but it’s unclear whether the latest version includes a fix for the remote code execution issue at hand.
The issue with Mercury, an Android browser produced by iLegendSoft, Inc., stems from a combination of what Rotlogix describes as an insecure Intent URI scheme implementation and a path traversal vulnerability. Mercury’s bugs are mostly rooted in its WiFi Transfer feature. Via a malicious HTML page an attacker could “invoke private Activities,” according to Rotlogix.
It took a little digging around but through the path traversal vulnerability Rotlogix found he could exploit the feature to not only read data from Mercury’s data directory, but also download, upload and replace certain files in the browser’s directory.
iLegendSoft did not immediately respond to Threatpost’s request for comment but in the meantime, Rotlogix is urging users to remove the browser and use another until the issue is addressed.
This article was updated on Aug. 24 to include Dolphin’s response.