CVE-2018-15006

The ZTE ZMAX Champ Android device with a build fingerprint of ZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys contains a pre-installed platform app with a package name of com.android.zte.hiddenmenu (versionCode=23, versionName=6.0.1) that contains an exported broadcast receiver app component named com.android.zte.hiddenmenu.CommandReceiver that is accessible to any app co-located on the device. This app component, when it receives a broadcast intent with a certain action string, will write a non-standard (i.e., not defined in Android Open Source Project (AOSP) code) command to the /cache/recovery/command file to be executed in recovery mode. Once the device boots into recovery mode, it will crash, boot into recovery mode, and crash again. This crash loop will keep repeating, which makes the device unusable. There is no way to boot into an alternate mode once the crash loop starts.

CVSS v3 5.5 MEDIUM
CVSS v2.0 4.9 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector : AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

4.9^/10

CVSS v2.0 : MEDIUM

Vector : AV:L/AC:L/Au:N/C:N/I:N/A:C

Exploitability : 3.9 / Impact : 6.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact COMPLETE

References

Link	Resource
http://www.securityfocus.com/bid/106361	Third Party Advisory VDB Entry
https://www.kryptowire.com/portal/android-firmware-defcon-2018/	Third Party Advisory
https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:zteusa:zte_zmax_champ_firmware:6.0.1:*:*:*:*:*:*:*

cpe:2.3:h:zteusa:zte_zmax_champ:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2018-12-28 21:29

Updated : 2024-02-04 20:03

NVD link : CVE-2018-15006

Mitre link : CVE-2018-15006

CVE.ORG link : CVE-2018-15006

JSON object : View

Products Affected

zteusa

zte_zmax_champ_firmware
zte_zmax_champ

CWE

NVD-CWE-noinfo

{"id": "CVE-2018-15006", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.9, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2018-12-28T21:29:00.997", "references": [{"url": "http://www.securityfocus.com/bid/106361", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "https://www.kryptowire.com/portal/android-firmware-defcon-2018/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "The ZTE ZMAX Champ Android device with a build fingerprint of ZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys contains a pre-installed platform app with a package name of com.android.zte.hiddenmenu (versionCode=23, versionName=6.0.1) that contains an exported broadcast receiver app component named com.android.zte.hiddenmenu.CommandReceiver that is accessible to any app co-located on the device. This app component, when it receives a broadcast intent with a certain action string, will write a non-standard (i.e., not defined in Android Open Source Project (AOSP) code) command to the /cache/recovery/command file to be executed in recovery mode. Once the device boots into recovery mode, it will crash, boot into recovery mode, and crash again. This crash loop will keep repeating, which makes the device unusable. There is no way to boot into an alternate mode once the crash loop starts."}, {"lang": "es", "value": "El dispositivo Android ZTE ZMAX Champ con una huella digital ZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys contiene una aplicaci\u00f3n preinstalada, cuyo paquete se denomina com.android.zte.hiddenmenu (versionCode=23, versionName=6.0.1) con un componente de app de recibidor de transmisiones exportado llamado com.android.zte.hiddenmenu.CommandReceiver que es accesible a cualquier app que tambi\u00e9n est\u00e9 en el dispositivo. Este componente de la app, cuando recibe un intent de transmisi\u00f3n con cierta cadena de acci\u00f3n, escribir\u00e1 un comando no est\u00e1ndar (esto es, no definido en el c\u00f3digo AOSP o Android Open Source Project) en el archivo /cache/recovery/command para que sea ejecutado en modo recovery. Una vez el dispositivo arranca en modo recovery, se cerrar\u00e1 inesperadamente, arrancar\u00e1 en modo recovery y se cerrar\u00e1 inesperadamente de nuevo. Este bucle de cierres inesperados seguir\u00e1 repiti\u00e9ndose, lo que hace que el dispositivo no pueda ser empleado. No hay forma de arrancar en un modo alternativo una vez comienza este bucle de cierres inesperados."}], "lastModified": "2019-10-03T00:03:26.223", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:zteusa:zte_zmax_champ_firmware:6.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DBBE643B-2BF0-448E-9CC4-1BC4A58616DC"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:zteusa:zte_zmax_champ:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B5FDC7E6-BFEA-425F-8FD8-85075553412D"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}