Body Background
TrendAI™ Zero Day Initiative™ Logo

(Mobile Pwn2Own) Amazon App Store JavaScript Bridge Remote Code Execution Vulnerability

April 29th, 2015
ZDI-15-159 ZDI-CAN-2632

CVE ID

CVSS Score

6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P

Affected Vendors

Amazon

Affected Products

App Store

Vulnerability Details


This vulnerability allows remote attackers to execute arbitrary code on Amazon Fire Phone. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the methods that were exposed to the WebView. The IntentBridge class wraps IPC functions that allows an attacker to download and install a malicious application. A remote attacker can abuse this achieve remote code execution under the context of the process.

Additional Details


There was not an advisory posted and no patch required, the issue was fixed server side.


Disclosure Timeline

  • 2014-11-12 - Vulnerability reported to vendor
  • 2015-04-29 - Coordinated public release of advisory

Credit

MWR Labs

Back to Advisories

Hero Background

Stand at the front line of proactive security

Trend ZDI connects the experts who discover, remediate, and defend.
Add your voice to the work that pushes attackers back.

RESEARCHERS

Submit a vulnerability

VENDORS

Learn how it works

ORGANIZATIONS

See how you're protected