Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
[Suggested description]
A command injection issue in
dji_sys in DJI Mavic 2 Remote Controller before firmware version 01.00.0510 allows for code execution via a malicious firmware upgrade packet.
------------------------------------------
[VulnerabilityType Other]
Command injection
------------------------------------------
[Vendor of Product]
DJI
------------------------------------------
[Affected Product Code Base]
DJI Mavic 2 Remote Controller - Firmware versions before 01.00.0510 (01.00.0100, 01.00.0200, 01.00.0300, 01.00.0400)
------------------------------------------
[Affected Component]
Affected executable: dji_sys
------------------------------------------
[Attack Type]
Local
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Attack Vectors]
Malicious firmware upgrade packet sent via USB
------------------------------------------
[Reference]
http://hacktheplanet.nu/djihax.pdf
http://kth.diva-portal.org/smash/get/diva2:1463784/FULLTEXT01.pdf
https://www.dji.com/mavic-2
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Viktor Edstroem
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment