Skip to content

Instantly share code, notes, and snippets.

@NSnidie
Created September 19, 2023 05:46
Show Gist options
  • Save NSnidie/2af70d58426c4563b2f11171379fdd8c to your computer and use it in GitHub Desktop.
Save NSnidie/2af70d58426c4563b2f11171379fdd8c to your computer and use it in GitHub Desktop.
CVE-2023-40930
[CVE ID]
CVE-2023-40930
[PRODUCT]
skyworth_3.0 OS
[kERNEL VERSION]
android11-2-g80d76e2fee26-dirty
[PROBLEM TYPE]
Directory Traversal
[DESCRIPTION]
Skywoth_3.0 OS has the same question as CVE-2018-9445 , attacker can use a special Udisk to attack devices which use this OS
[REPETITION ENVIROMENT]
https://github.com/NSnidie/CVE-2023-40930
@NSnidie
Copy link
Author

NSnidie commented Sep 19, 2023

[ISSUE DETAILS]
The issue comes from "/system/bin/blkid"
Use the tool "checksec" to know it's arch:
JlmIAWqzx_K60QDRtnkPpbs9yjH8Y03pr4yYWB2Bz1Q
And we can use ida to reverse this elf:
UY_sYcSUr4XkXajyFX1aJ7tan747Pbx0AzpdkUiVJl0
The picture above shows the issue in function "print_tags", the "strncmp" returns 0 if the string is "LABEL" , so if the field is "LABEL=xxxxx", it will fputs any char in xxxxx to stdout whitout igonring the '"' . So if we replace the string ' UUID =../a"' as xxxxx , it will make the final blkid out string LABEL=" UUID="../a":
Xw2ilSjrYUe2I1Db043lOtKSmvMPwQRwx1mcPOZHqTg
Then if we plug this Udisk into USB,it will cause Directory Traversal:
sdDYt4jVYmsbWx-N1Rsy4DioEoURudyZw91IvcdA2OM
Nomally the Udisk would be mounted to /mnt/usb/ , but this time it is mounted to /mnt/ causing the Directory Traversal

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment