Full Disclosure mailing list archives
Re: Xamarin for Android <5.1 DLL Hijack Vulnerability
From: Tim <strazz () gmail com>
Date: Tue, 19 May 2015 14:38:32 -0700
Isn't this the public bug tracker? https://bugzilla.xamarin.com/describecomponents.cgi?product=Android Though, correct that case id doesn't map to anything there. -Tim Strazzere On Tue, May 19, 2015 at 2:32 PM, ValdikSS <iam () valdikss org ru> wrote:
They don't have public bugtracker. Case ID is 140518. On 05/20/2015 12:29 AM, Tim wrote:Thanks for posting this to FD, these didn't even include it in theirrelease notes;http://developer.xamarin.com/releases/android/xamarin.android_5/xamarin.android_5.1/Was there a bug reported in bugzilla to link back too? -Tim Strazzere On Tue, May 19, 2015 at 6:49 AM, ValdikSS <iam () valdikss org ru<mailto:iam () valdikss org ru> <iam () valdikss org ru>> wrote:Xamarin for Android prior to version 5.1 allows to replace internal DLL files inside the APK with files on SD card which are not in a secure storage. Malicious application without any special permissions could drop backdoored DLL files into /storage/sdcard0/Android/data/app_id/files/.__override__/ and the victim application would use files from SD. Not just the main application library could be hijacked, but also Xamarin's System.dll and Mono.Android.dll, which are shipped in all Xamarin for Android applications. Developers should rebuild their applications using Xamarin for Android 5.1 or newer in the release mode. This vulnerability was found by accident, which allowed me to eat for free for a month. Timeline: 03.04.2015 Vulnerability is found 07.04.2015 Message sent to Xamarin 08.04.2015 Xamarin acknowledged the vulnerability 29.04.2015 Fixed stable version released >_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Xamarin for Android <5.1 DLL Hijack Vulnerability ValdikSS (May 19)
- Re: Xamarin for Android <5.1 DLL Hijack Vulnerability Tim (May 19)
- Re: Xamarin for Android <5.1 DLL Hijack Vulnerability ValdikSS (May 19)
- Re: Xamarin for Android <5.1 DLL Hijack Vulnerability Tim (May 19)
- Re: Xamarin for Android <5.1 DLL Hijack Vulnerability ValdikSS (May 19)
- Re: Xamarin for Android <5.1 DLL Hijack Vulnerability ValdikSS (May 19)
- Re: Xamarin for Android <5.1 DLL Hijack Vulnerability Tim (May 19)