PT-2012-23: SQL Injection in Dr.Web Anti-virus
Vulnerable software
Dr.Web Anti-virus
Version: 7.00.0 and earlier
Application link:
https://play.google.com/store/apps/details?id=com.drweb.pro
Severity level
Severity level: Medium
Impact: SQL Injection
Access Vector: Local
CVSS v2:
Base Score: 6.6
Vector: (AV:L/AC:L/Au:N/C:C/I:N/A:C)
CVE: not assign
Software description
Dr.Web Anti-virus is an antivirus software for Android platform.
Vulnerability description
The specialists of the Positive Research center have detected "SQL Injection" vulnerability in Dr.Web Anti-virus application.
The vulnerability was detected in Dr.Web Anti-virus application for Android platrform in com.drweb.activities.antispam.CursorActivity class. An attacker can get the history of calls or SMS messages via third-party applications installed in the system.
How to fix
Update your software up to the latest version
Advisory status
11.07.2012 - Vendor is notified
11.07.2012 - Vendor gets vulnerability details
13.07.2012 - Vendor releases fixed version and details
17.07.2012 - Public disclosure
Credits
The vulnerability was discovered by Artem Chaykin, Positive Research Center (Positive Technologies Company)
References
http://en.securitylab.ru/lab/PT-2012-23
http://news.drweb.com/show/?c=5&i=2573&lng=en
Reports on the vulnerabilities previously discovered by Positive Research:
http://ptsecurity.com/research/advisory/
http://en.securitylab.ru/lab/