*# Disclosure Date:* 08/03/2014
*# Author: *Keith Makan
*# Version:* 3.2.2
*# Tested on:*Android 4.2.2 (Emulator)
*# Tools :* Drozer, Bash


*Description*ExSoul Browser version 3.2.2 suffers from a arbitrary remote
code execution vulnerability stemming from the insecure use of the
addJavascriptInterface
functionality in Androids WebView's.


*Impact*
Attackers are capable of executing arbitrary code within the context of the
affected application through forced browsing attacks to a domain hosting
malicious JavaScript or by loading up an HTML file containing malicious
JavaScript (as demonstrated in the PoC).
Currently, an estimated 100,000 - 500,000 installs are affected.
PoC

   - http://i.imgur.com/I9Buh9a.png

Timeline:

   1. Original Disclosure (09/03/2014)
   2. (No contact from vendor) (09/03/2014 - 13/03/2014)
   3. Update released (14/03/2014)
   4. Public Disclosure (17/03/2014)

-- 
<Keith k3170makan <http://about.me/k3170makan> Makan/>