CVE-2010-4804
published 2011-06-09CVE-2010-4804: The Android browser in Android before 2.3.4 allows remote attackers to obtain SD card contents via crafted content:// URIs, related to (1) BrowserActivity.java…
PriorityP334medium4.3CVSS 2.0
AVNACMAuNCPINAN
EXPLOIT
EPSS
26.95%
97.8th percentile
The Android browser in Android before 2.3.4 allows remote attackers to obtain SD card contents via crafted content:// URIs, related to (1) BrowserActivity.java and (2) BrowserSettings.java in com/android/browser/.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| android | <= 2.3.3 | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for HTTP responses serving HTML files as attachments (Content-Disposition: attachment) with Content-Type: text/html, which is the delivery mechanism for the malicious payload in Stage 2 of this exploit. ↗
- →Detect outbound HTTP POST requests containing Base64-encoded fields named 'filename0'/'data0' (or incrementing indices), which indicate exfiltration of SD card file contents via the exploit's Stage 3 upload. ↗
- →The exploit targets Android versions before 2.3.4; flag Android browser User-Agent strings from devices running Android < 2.3.4 accessing suspicious multi-stage redirect URLs. ↗
- →The Metasploit auxiliary module android_htmlfileprovider can be used to test for this vulnerability; detect its use in network traffic as part of threat hunting. ↗
- ·The silent file download (no browser prompt) is a secondary vulnerability distinct from the content:// URI cross-domain issue; both must be present for the full exploit chain to work. ↗
- ·The exploit uses AJAX (XMLHttpRequest) to read file contents and encodes them as Base64 before exfiltration; detection based solely on file content inspection may miss the exfiltration if traffic is over HTTPS. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Google Android - 'content://' URI Multiple Information Disclosure Vulnerabilities
exploitdb·2011-11-28·CVSS 4.3
CVE-2010-4804 [MEDIUM] Google Android - 'content://' URI Multiple Information Disclosure Vulnerabilities
Google Android - 'content://' URI Multiple Information Disclosure Vulnerabilities
---
Android Data Stealing Web PageClick: Malicious Link";
}
// Stage 1: Redirect to Stage 2 which will force a download of the HTML/JS payload, then a few seconds later redirect
// to the payload. We load the payload using a Content Provider so that the JavaScript is executed in the
// context of the local device - this is the vulnerability.
function stage1($scripturl) {
echo "";
}
// Stage 2: Download of payload, the Android browser doesn't prompt for the download which is another vulnerability.
// The payload uses AJAX calls to read file contents and encodes as Base64, then uploads to server (Stage 3).
function stage2($scripturl,$filenames) {
header("Cache-Control: public");
header("Content-Description:
Metasploit
Android Content Provider File Disclosure
metasploit
Android Content Provider File Disclosure
Android Content Provider File Disclosure
This module exploits a cross-domain issue within the Android web browser to exfiltrate files from a vulnerable device.
No writeups or analysis indexed.
http://android.git.kernel.org/?p=platform/frameworks/base.git%3Ba=commit%3Bh=f440831d76817e837164ca18c7705e81d2391f87http://android.git.kernel.org/?p=platform/packages/apps/Browser.git%3Ba=commit%3Bh=604a598e1e01bda781600a45e0a971898a582666http://thomascannon.net/blog/2010/11/android-data-stealing-vulnerability/http://www.csc.ncsu.edu/faculty/jiang/nexuss.htmlhttp://www.securityfocus.com/bid/48256http://www.slashgear.com/android-data-theft-exploit-to-be-plugged-in-gingerbread-video-24116054/http://android.git.kernel.org/?p=platform/frameworks/base.git%3Ba=commit%3Bh=f440831d76817e837164ca18c7705e81d2391f87http://android.git.kernel.org/?p=platform/packages/apps/Browser.git%3Ba=commit%3Bh=604a598e1e01bda781600a45e0a971898a582666http://thomascannon.net/blog/2010/11/android-data-stealing-vulnerability/http://www.csc.ncsu.edu/faculty/jiang/nexuss.htmlhttp://www.securityfocus.com/bid/48256http://www.slashgear.com/android-data-theft-exploit-to-be-plugged-in-gingerbread-video-24116054/
2011-06-09
Published