Author Archives: nb

Microcorruption Write-ups (1 – 10)

By | October 2, 2018

When the Microcorruption game first came out I beat the first sixteen levels and then I got stumped on the alphanumeric MSP430 shellcode level (damn MSP430 instructions). I started to go through the game again to beat more levels and take notes to reenforce my own knowledge of the subject. I suggest everyone check out… Read More »

Dialogic PowerMedia XMS Multiple Vulnerabilities

By | June 24, 2018

I disclosed multiple vulnerabilities to Dialogic in their PowerMedia XMS product (version 3.4), which is a “highly scalable, software-only media server that enables standards-based, real- time multimedia communications solutions for IMS, MRF, Enterprise, and WebRTC applications on premise or in the cloud.” CVE-2018-11634 – Plaintext storage of passwords in a SQLite database. CVE-2018-11635 – Use… Read More »

Maxthon Browser Arbitrary File Write, Login Page UXSS, and SQL Injection

By | November 10, 2016

Maxthon Browser is another popular Android browser that is used instead of the stock browser. I have identified a number of interesting, and severe, vulnerabilities in the Android version of the browser that could result in remote code execution and information leakage. Exposed JavaScript Interface allows for arbitrary file writes – A malicious webpage can… Read More »

React Native Development Server Remote OS Command Injection and Remote File Disclosure

By | May 12, 2016

React Native is another cross-platform mobile development framework created by Facebook that developers can use to develop mobile applications on the Android and iOS platforms using JavaScript. From an architectural standpoint the framework is closer to Titanium or Kony than Cordova given that the mobile application uses JavaScriptCore as a standalone JS engine to execute… Read More »

Android Anti-Hooking Techniques in Java

By | December 23, 2015

A recent internal thread about detecting hooking frameworks in native code (C/C++) got me thinking about the different ways that a Java Android application can detect the presence of either Cydia Substrate or the Xposed framework. Disclaimer: All of these anti-hooking techniques are easy to bypass by any experienced reverse engineer. I’m just exploring how… Read More »

Puffin Browser RCE and Remote File Disclosure

By | December 8, 2015

As part of my research into the Intent.parseUri function, I identified that the Android version of the Puffin Browser was vulnerable to remote code execution, on 4.4.3 devices and below, and remote file disclosure, on any device, due to a number of factors including improper intent URI scheme parsing.

Abusing UIWebView baseURL settings in the Cordova ChildBrowser Plug-in

By | April 3, 2015

The ChildBrowser plug-in is a popular third-party plug-in that allows displaying untrusted external websites within a Cordova-based application. It is very similar to the core InAppBrowser plug-in, which is the plug-in that Apache currently recommends using, since they both create a separate WebView instance that does not expose native mobile APIs to the untrusted HTML/JavaScript.… Read More »

Cordova LaunchMyApp Plug-in Remote JavaScript Injection

By | December 17, 2014

The Cordova mobile application development framework does not support launching a mobile application via a custom URI scheme, such as someurischeme://pathhere/?param=somedata, out of the box on all of its supported platforms, which is somewhat surprising for a cross-platform mobile framework. Notably missing is support for custom URI schemes in the Android version of the framework,… Read More »