Instantly share code, notes, and snippets.

Embed
What would you like to do?
CVE-2018-10988
CVE-2018-10988
[Suggested description]
An issue was discovered on Diqee360 devices (http://diqee.com).
A firmware update process, integrated into the firmware, starts at boot and tries to find the update folder on the microSD card.
It executes code, without a digital signature, as root from the
/mnt/sdcard/$PRO_NAME/upgrade.sh or /sdcard/upgrage_360/upgrade.sh pathname.
------------------------------------------
[Additional Information]
if [ -d "/mnt/sdcard/$PRO_NAME" ]; then echo "/mnt/sdcard/$PRO_NAME
is exist..."
cd /mnt/sdcard
chmod 777 /mnt/nand1-2/$PRO_NAME/ -R
/mnt/sdcard/$PRO_NAME/upgrade.sh fi
------------------------------------------
[VulnerabilityType Other]
Insecure update process
------------------------------------------
[Vendor of Product]
Dongguan Diqee intelligent Co., Ltd.
------------------------------------------
[Affected Product Code Base]
Diqee360 - any
------------------------------------------
[Affected Component]
Update firmware without signification cause root access.
------------------------------------------
[Attack Type]
Local
------------------------------------------
[CVE Impact Other]
Insecure unsigned firmware update
------------------------------------------
[Attack Vectors]
Update process starts at boot and try to find update folder at
micro-sd card.So when boot up , diqee run as root user
/sdcard/upgrage_360/upgrade.sh without any sign code check.
Researchers put script to sd card into folder upgrage_360, insert sd
card to vacuum and restart it.
------------------------------------------
[Reference]
https://facebook.com/neolead
http://ptsecurity.com/
------------------------------------------
[Discoverer]
Leonid Krolle(Positive Technologies), George Zaytsev(Positive Technologies)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment