CVE-2018-14996

The Oppo F5 Android device with a build fingerprint of OPPO/CPH1723/CPH1723:7.1.1/N6F26Q/1513597833:user/release-keys contains a pre-installed platform app with a package name of com.dropboxchmod (versionCode=1, versionName=1.0) that contains an exported service named com.dropboxchmod.DropboxChmodService that allows any app co-located on the device to supply arbitrary commands to be executed as the system user. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. Executing commands as system user can allow a third-party app to video record the user's screen, factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), and obtains the user's text messages, and more. This vulnerability can also be used to secretly record audio of the user without their awareness on the Oppo F5 device. The pre-installed com.oppo.engineermode app (versionCode=25, versionName=V1.01) has an exported activity that can be started to initiate a recording and quickly dismissed. The activity can be started in a way that the user will not be able to see the app in the recent apps list. The resulting audio amr file can be copied from a location on internal storage using the arbitrary command execution as system user vulnerability. Executing commands as system user can allow a third-party app to factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, obtain the user's text messages, and more.

CVSS v3 7.8 HIGH
CVSS v2.0 7.2 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector : AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.2^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:L/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 3.9 / Impact : 10.0

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://www.kryptowire.com	Third Party Advisory
https://www.kryptowire.com/portal/android-firmware-defcon-2018/	Third Party Advisory
https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf	Technical Description Third Party Advisory
https://www.kryptowire.com	Third Party Advisory
https://www.kryptowire.com/portal/android-firmware-defcon-2018/	Third Party Advisory
https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf	Technical Description Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:oppo:f5_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:oppo:f5:-:*:*:*:*:*:*:*

History

21 Nov 2024, 03:50

Type	Values Removed	Values Added
References	~~() https://www.kryptowire.com - Third Party Advisory~~	() https://www.kryptowire.com - Third Party Advisory
References	~~() https://www.kryptowire.com/portal/android-firmware-defcon-2018/ - Third Party Advisory~~	() https://www.kryptowire.com/portal/android-firmware-defcon-2018/ - Third Party Advisory
References	() https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf - Technical Description, Third Party Advisory	() https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf - Technical Description, Third Party Advisory

Information

Published : 2019-04-25 20:29

Updated : 2024-11-21 03:50

NVD link : CVE-2018-14996

Mitre link : CVE-2018-14996

CVE.ORG link : CVE-2018-14996

JSON object : View

Products Affected

oppo

f5
f5_firmware

CWE

NVD-CWE-noinfo

{"id": "CVE-2018-14996", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.2, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2019-04-25T20:29:01.163", "references": [{"url": "https://www.kryptowire.com", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.kryptowire.com/portal/android-firmware-defcon-2018/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf", "tags": ["Technical Description", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.kryptowire.com", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.kryptowire.com/portal/android-firmware-defcon-2018/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf", "tags": ["Technical Description", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "The Oppo F5 Android device with a build fingerprint of OPPO/CPH1723/CPH1723:7.1.1/N6F26Q/1513597833:user/release-keys contains a pre-installed platform app with a package name of com.dropboxchmod (versionCode=1, versionName=1.0) that contains an exported service named com.dropboxchmod.DropboxChmodService that allows any app co-located on the device to supply arbitrary commands to be executed as the system user. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. Executing commands as system user can allow a third-party app to video record the user's screen, factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), and obtains the user's text messages, and more. This vulnerability can also be used to secretly record audio of the user without their awareness on the Oppo F5 device. The pre-installed com.oppo.engineermode app (versionCode=25, versionName=V1.01) has an exported activity that can be started to initiate a recording and quickly dismissed. The activity can be started in a way that the user will not be able to see the app in the recent apps list. The resulting audio amr file can be copied from a location on internal storage using the arbitrary command execution as system user vulnerability. Executing commands as system user can allow a third-party app to factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, obtain the user's text messages, and more."}, {"lang": "es", "value": "El dispositivo Android Oppo F5 con una huella digital de compilaci\u00f3n OPPO/CPH1723/CPH1723:7.1.1/N6F26Q/1513597833:user/release-keys alberga una aplicaci\u00f3n de plataforma preinstalada con el nombre del paquete com.dropboxchmod (versionCode=1, versionName=1.0) que contiene un servicio exportado llamado com.dropboxchmod.DropboxChmodService que permite que cualquier aplicaci\u00f3n dentro del dispositivo proporcione comandos arbitrarios para ser ejecutados como usuario del sistema. Esta aplicaci\u00f3n no puede ser desactivada por el usuario y el ataque puede ser ejecutado por una aplicaci\u00f3n de cero permisos. La ejecuci\u00f3n de comandos como usuario del sistema puede permitir que una aplicaci\u00f3n de terceros grabe en video la pantalla del usuario, restaure el dispositivo de f\u00e1brica, consiga las notificaciones del usuario, lea los registros de logcat, inyecte eventos en la Interfaz Gr\u00e1fica de Usuario (GUI) y obtenga los mensajes de texto de usuario, y m\u00e1s. Esta vulnerabilidad tambi\u00e9n puede ser usada para grabar en secreto el audio del usuario sin conocerlo en el dispositivo Oppo F5. La aplicaci\u00f3n com.oppo.engineermode preinstalada (versionCode = 25, versionName=V1.01) tiene una actividad exportada que puede ser activada para iniciar una grabaci\u00f3n y descartarse r\u00e1pidamente. La actividad puede ser iniciada de manera que el usuario no pueda ver la aplicaci\u00f3n en la lista de aplicaciones recientes. El archivo amr de audio resultante puede ser copiado desde una ubicaci\u00f3n en el almacenamiento interno usando la ejecuci\u00f3n de comandos arbitrarios como vulnerabilidad del usuario del sistema. La ejecuci\u00f3n de comandos como usuario del sistema puede permitir que una aplicaci\u00f3n de terceros restablezca el dispositivo de f\u00e1brica, consiga las notificaciones del usuario, lea los registros de Logcat, inyecte eventos en la Interfaz gr\u00e1fica de usuario (GUI), cambie el Editor de m\u00e9todos de entrada (IME) por defecto (por ejemplo, teclado) con un contenido dentro de la aplicaci\u00f3n atacante que comprende la funcionalidad de registro de teclas, conseguir los mensajes de texto del usuario y m\u00e1s."}], "lastModified": "2024-11-21T03:50:17.897", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:oppo:f5_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "049CDFA0-F974-47F1-9525-197797E13A98"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:oppo:f5:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "DC9481C5-A24D-42EE-BD59-BFC781912324"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}

7.8 /10