CVE-2011-2357 – Open Handset Alliance Android 2.3.4/3.1 - Browser Sandbox Security Bypass
https://notcve.org/view.php?id=CVE-2011-2357
Cross-application scripting vulnerability in the Browser URL loading functionality in Android 2.3.4 and 3.1 allows local applications to bypass the sandbox and execute arbitrary Javascript in arbitrary domains by (1) causing the MAX_TAB number of tabs to be opened, then loading a URI to the targeted domain into the current tab, or (2) making two startActivity function calls beginning with the targeted domain's URI followed by the malicious Javascript while the UI focus is still associated with the targeted domain. La vulnerabilidad de tipo Cross-application scripting en la funcionalidad de carga de Browser URL en Android versiones 2.3.4 y 3.1, permite que las aplicaciones locales omitan el sandbox y ejecuten JavaScript arbitrario en dominios arbitrarios al (1) causar que un número de pestañas MAX_TAB sean abiertas y luego cargar un URI hacia el dominio de destino en la pestaña actual, o (2) realizar dos llamadas a la función startActivity que comienzan con el URI del dominio de destino seguido del Javascript malicioso mientras que el enfoque de la interfaz de usuario aún está asociado con el dominio de destino. Dolphin Browser HD versions prior to 6.1.0 suffer from a cross applications scripting vulnerability. • https://www.exploit-db.com/exploits/36006 http://android.git.kernel.org/?p=platform/cts.git%3Ba=commit%3Bh=7e48fb87d48d27e65942b53b7918288c8d740e17 http://android.git.kernel.org/?p=platform/packages/apps/Browser.git%3B%20a=commit%3Bh=096bae248453abe83cbb2e5a2c744bd62cdb620b http://android.git.kernel.org/?p=platform/packages/apps/Browser.git%3B%20a=commit%3Bh=afa4ab1e4c1d645e34bd408ce04cadfd2e5dae1e http://blog.watchfire.com/files/advisory-android-browser.pdf http://blog.watchfire.com/wfblog/2011/08/android-browser-cross- • CWE-20: Improper Input Validation •
CVE-2011-2344
https://notcve.org/view.php?id=CVE-2011-2344
Android Picasa in Android 3.0 and 2.x through 2.3.4 uses a cleartext HTTP session when transmitting the authToken obtained from ClientLogin, which allows remote attackers to gain privileges and access private pictures and web albums by sniffing the token from connections with picasaweb.google.com. Android Picasa en Android v3.0 y v2.x hasta v2.3.4 usa sesion HTTP en texto claro cuando se transmite el authToken obtenido de ClientLogin, lo que permite a usuarios remotos ganar privilegios y acceder a imagenes y albumes privados esnifando el token de conexiones con picasaweb.google.com • http://android.git.kernel.org/?p=platform/packages/apps/Gallery3D.git%3Ba=commit%3Bh=7a763db1c15bb6436be85a3f23382e4171970b6e http://android.git.kernel.org/?p=platform/packages/apps/Gallery3D.git%3Ba=commit%3Bh=9a418de454e5ce078c98f41b5c18e3bb9175bd20 http://www.uni-ulm.de/en/in/mi/staff/koenings/catching-authtokens.html • CWE-310: Cryptographic Issues •
CVE-2011-1823 – Android OS Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2011-1823
The vold volume manager daemon on Android 3.0 and 2.x before 2.3.4 trusts messages that are received from a PF_NETLINK socket, which allows local users to execute arbitrary code and gain root privileges via a negative index that bypasses a maximum-only signed integer check in the DirectVolume::handlePartitionAdded method, which triggers memory corruption, as demonstrated by Gingerbreak. El demonio de vold volume manager en Android versión 3.0 y versiones 2.x anterior a 2.3.4, confía en los mensajes que son recibidos desde un socket PF_NETLINK, que permite a los usuarios locales ejecutar código arbitrario y alcanzar privilegios de root por medio de un índice negativo que omite la comprobación de un entero firmado maximum-only en el método DirectVolume::handlePartitionAdded, que activa una corrupción de memoria, como es demostrado por Gingerbreak. The vold volume manager daemon in Android kernel trusts messages from a PF_NETLINK socket, which allows an attacker to execute code and gain root privileges. This vulnerability is associated with GingerBreak and Exploit.AndroidOS.Lotoor. • http://android.git.kernel.org/?p=platform/system/core.git%3Ba=commit%3Bh=b620a0b1c7ae486e979826200e8e441605b0a5d6 http://android.git.kernel.org/?p=platform/system/netd.git%3Ba=commit%3Bh=79b579c92afc08ab12c0a5788d61f2dd2934836f http://android.git.kernel.org/?p=platform/system/vold.git%3Ba=commit%3Bh=c51920c82463b240e2be0430849837d6fdc5352e http://androidcommunity.com/gingerbreak-root-for-gingerbread-app-20110421 http://c-skills.blogspot.com/2011/04/yummy-yummy-gingerbreak.html http://forum.xda-developers.com/showthread.php?t=104 • CWE-190: Integer Overflow or Wraparound •