cbcvebase.
CVE-2010-4804
published 2011-06-09

CVE-2010-4804: The Android browser in Android before 2.3.4 allows remote attackers to obtain SD card contents via crafted content:// URIs, related to (1) BrowserActivity.java…

PriorityP334medium4.3CVSS 2.0
AVNACMAuNCPINAN
EXPLOIT
EPSS
26.95%
97.8th percentile
The Android browser in Android before 2.3.4 allows remote attackers to obtain SD card contents via crafted content:// URIs, related to (1) BrowserActivity.java and (2) BrowserSettings.java in com/android/browser/.

Affected

8 ranges
VendorProductVersion rangeFixed in
googleandroid<= 2.3.3
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid

Detection & IOCsextracted from sources · hover to see the quote

pathcom/android/browser/BrowserActivity.java
pathcom/android/browser/BrowserSettings.java
  • Monitor for HTTP responses serving HTML files as attachments (Content-Disposition: attachment) with Content-Type: text/html, which is the delivery mechanism for the malicious payload in Stage 2 of this exploit.
  • Detect outbound HTTP POST requests containing Base64-encoded fields named 'filename0'/'data0' (or incrementing indices), which indicate exfiltration of SD card file contents via the exploit's Stage 3 upload.
  • The exploit targets Android versions before 2.3.4; flag Android browser User-Agent strings from devices running Android < 2.3.4 accessing suspicious multi-stage redirect URLs.
  • The Metasploit auxiliary module android_htmlfileprovider can be used to test for this vulnerability; detect its use in network traffic as part of threat hunting.
  • ·The silent file download (no browser prompt) is a secondary vulnerability distinct from the content:// URI cross-domain issue; both must be present for the full exploit chain to work.
  • ·The exploit uses AJAX (XMLHttpRequest) to read file contents and encodes them as Base64 before exfiltration; detection based solely on file content inspection may miss the exfiltration if traffic is over HTTPS.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.