Created
September 19, 2023 05:46
-
-
Save NSnidie/2af70d58426c4563b2f11171379fdd8c to your computer and use it in GitHub Desktop.
CVE-2023-40930
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [CVE ID] | |
| CVE-2023-40930 | |
| [PRODUCT] | |
| skyworth_3.0 OS | |
| [kERNEL VERSION] | |
| android11-2-g80d76e2fee26-dirty | |
| [PROBLEM TYPE] | |
| Directory Traversal | |
| [DESCRIPTION] | |
| Skywoth_3.0 OS has the same question as CVE-2018-9445 , attacker can use a special Udisk to attack devices which use this OS | |
| [REPETITION ENVIROMENT] | |
| https://github.com/NSnidie/CVE-2023-40930 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
[ISSUE DETAILS]
The issue comes from "/system/bin/blkid"
Use the tool "checksec" to know it's arch:
And we can use ida to reverse this elf:
The picture above shows the issue in function "print_tags", the "strncmp" returns 0 if the string is "LABEL" , so if the field is "LABEL=xxxxx", it will fputs any char in xxxxx to stdout whitout igonring the '"' . So if we replace the string ' UUID =../a"' as xxxxx , it will make the final blkid out string LABEL=" UUID="../a":
Then if we plug this Udisk into USB,it will cause Directory Traversal:
Nomally the Udisk would be mounted to /mnt/usb/ , but this time it is mounted to /mnt/ causing the Directory Traversal