Created
December 21, 2020 17:48
-
-
Save viktoredstrom/2f0463ebe7cd786904f229e11386e817 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Suggested description] | |
A command injection issue in | |
dji_sys in DJI Mavic 2 Remote Controller before firmware version 01.00.0510 allows for code execution via a malicious firmware upgrade packet. | |
------------------------------------------ | |
[VulnerabilityType Other] | |
Command injection | |
------------------------------------------ | |
[Vendor of Product] | |
DJI | |
------------------------------------------ | |
[Affected Product Code Base] | |
DJI Mavic 2 Remote Controller - Firmware versions before 01.00.0510 (01.00.0100, 01.00.0200, 01.00.0300, 01.00.0400) | |
------------------------------------------ | |
[Affected Component] | |
Affected executable: dji_sys | |
------------------------------------------ | |
[Attack Type] | |
Local | |
------------------------------------------ | |
[Impact Code execution] | |
true | |
------------------------------------------ | |
[Attack Vectors] | |
Malicious firmware upgrade packet sent via USB | |
------------------------------------------ | |
[Reference] | |
http://hacktheplanet.nu/djihax.pdf | |
http://kth.diva-portal.org/smash/get/diva2:1463784/FULLTEXT01.pdf | |
https://www.dji.com/mavic-2 | |
------------------------------------------ | |
[Has vendor confirmed or acknowledged the vulnerability?] | |
true | |
------------------------------------------ | |
[Discoverer] | |
Viktor Edstroem |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment