Full Disclosure mailing list archives
Re: Xamarin for Android <5.1 DLL Hijack Vulnerability
From: Tim <strazz () gmail com>
Date: Tue, 19 May 2015 14:29:27 -0700
Thanks for posting this to FD, these didn't even include it in their release notes; http://developer.xamarin.com/releases/android/xamarin.android_5/xamarin.android_5.1/ Was there a bug reported in bugzilla to link back too? -Tim Strazzere On Tue, May 19, 2015 at 6:49 AM, ValdikSS <iam () valdikss org ru> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Xamarin for Android prior to version 5.1 allows to replace internal DLL
files inside the APK with files on SD card which are not in a secure
storage.
Malicious application without any special permissions could drop
backdoored DLL files into
/storage/sdcard0/Android/data/app_id/files/.__override__/
and the victim application would use files from SD.
Not just the main application library could be hijacked, but also
Xamarin's System.dll and Mono.Android.dll, which are shipped in all Xamarin
for Android
applications.
Developers should rebuild their applications using Xamarin for Android 5.1
or newer in the release mode.
This vulnerability was found by accident, which allowed me to eat for free
for a month.
Timeline:
03.04.2015 Vulnerability is found
07.04.2015 Message sent to Xamarin
08.04.2015 Xamarin acknowledged the vulnerability
29.04.2015 Fixed stable version released
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: https://keybase.io/valdikss
iQIcBAEBCAAGBQJVWz98AAoJEFzXIC7viPdyP3wP/3Vxrc0hHZATTfkCVq688sJa
/NI2Z7cdRf3cpHSLCciWbtcNK82uE6qmHisFwUQGA5xvljhrkAXLPa2xG3wShmXq
G5ID3WexMWgTfLqYwOi/4fq1jpfeEg5vpDFAhj0JuWAvZg1zOwFBQ7UdT6G/eu1C
+Dgmk1qpvLcPkKOrh2i4xwqkDfqNfADfK7ekjeqMZe70tC95eHLeRWzVEmi+hCC3
zLwnuprHOEQ/CGeKiQJzePExARFyIfS/kuV+YPdw14gmEOwKAfFymuaxYqULqaxS
H6RdUJp2SZT5cf0RSlA7zqPhX8fqnkiBiCpd8BstoANl+dFvnggVks6PWovBm8aW
huYqscwDZ0pGG8kV5lPO/9fE2P/1nm9B1h9tOcycD8gpM7inbDy6WoETwO0KZOlx
qsetTdYt4PA5V6Wn6wks4R9iPZy7bFlqzrGWLWFY9FYV7a0cZoDi7eY8bNhxFj/T
g3M1ruIIRVxriyFjcfmq2nWw0rMFhiaDdb/GuQEmtN8b2CQRQmiBrvP1uC2zkOhW
ijdYsN7SMjvLTch3n6TU3ycibB0uEp03Jgm2+wRzZj5VQXUHR7BFzhh74UeeAriT
K7EialPddQzxPFS0ufTGQ1JFfjJP3bgZFLDwbJVt/WLwsgQpLmXcTjHub56lr87y
xQmqbzDDykOJ92uZEJ4X
=vW6d
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Xamarin for Android <5.1 DLL Hijack Vulnerability ValdikSS (May 19)
- Re: Xamarin for Android <5.1 DLL Hijack Vulnerability Tim (May 19)
- Re: Xamarin for Android <5.1 DLL Hijack Vulnerability ValdikSS (May 19)
- Re: Xamarin for Android <5.1 DLL Hijack Vulnerability Tim (May 19)
- Re: Xamarin for Android <5.1 DLL Hijack Vulnerability ValdikSS (May 19)
- Re: Xamarin for Android <5.1 DLL Hijack Vulnerability ValdikSS (May 19)
- Re: Xamarin for Android <5.1 DLL Hijack Vulnerability Tim (May 19)