Re: Xamarin for Android <5.1 DLL Hijack Vulnerability

[ValdikSS <iam () valdikss org ru>]

They don't have public bugtracker. Case ID is 140518.

On 05/20/2015 12:29 AM, Tim wrote:
> Thanks for posting this to FD, these didn't even include it in their release notes;
>
> http://developer.xamarin.com/releases/android/xamarin.android_5/xamarin.android_5.1/
>
> Was there a bug reported in bugzilla to link back too?
>
> -Tim Strazzere
>
> On Tue, May 19, 2015 at 6:49 AM, ValdikSS <iam () valdikss org ru <mailto:iam () valdikss org ru>> wrote:
>
>
> Xamarin for Android prior to version 5.1 allows to replace internal DLL files inside the APK with files on SD card 
> which are not in a secure storage.
> Malicious application without any special permissions could drop backdoored DLL files into
>
> /storage/sdcard0/Android/data/app_id/files/.__override__/
>
> and the victim application would use files from SD.
> Not just the main application library could be hijacked, but also Xamarin's System.dll and Mono.Android.dll, which 
> are shipped in all Xamarin for Android
> applications.
>
> Developers should rebuild their applications using Xamarin for Android 5.1 or newer in the release mode.
>
> This vulnerability was found by accident, which allowed me to eat for free for a month.
>
> Timeline:
>     03.04.2015 Vulnerability is found
>     07.04.2015 Message sent to Xamarin
>     08.04.2015 Xamarin acknowledged the vulnerability
>     29.04.2015 Fixed stable version released
>
>
>
>     _______________________________________________
>     Sent through the Full Disclosure mailing list
>     https://nmap.org/mailman/listinfo/fulldisclosure
>     Web Archives & RSS: http://seclists.org/fulldisclosure/

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/