CVE-2018-16618

VTech Storio Max before 56.D3JM6 allows remote command execution via shell metacharacters in an Android activity name. It exposes the storeintenttranslate.x service on port 1668 listening for requests on localhost. Requests submitted to this service are checked for a string of random characters followed by the name of an Android activity to start. Activities are started by inserting their name into a string that is executed in a shell command. By inserting metacharacters this can be exploited to run arbitrary commands as root. The requests also match those of the HTTP protocol and can be triggered on any web page rendered on the device by requesting resources stored at an http://127.0.0.1:1668/ URI, as demonstrated by the http://127.0.0.1:1668/dacdb70556479813fab2d92896596eef?';{ping,example.org}' URL.

CVSS v3 9.8 CRITICAL
CVSS v2.0 10.0 HIGH

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

10.0^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 10.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://www.surecloud.com/sc-blog/vtech	Exploit Third Party Advisory
https://www.vtech.com/en/our-businesses/product-support/	Vendor Advisory
https://www.surecloud.com/sc-blog/vtech	Exploit Third Party Advisory
https://www.vtech.com/en/our-businesses/product-support/	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:vtech:storio_max_firmware:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:vtech:80-183803:-:::::::*
	cpe:2.3:h:vtech:80-183804:-:::::::*
	cpe:2.3:h:vtech:80-183805:-:::::::*
	cpe:2.3:h:vtech:80-183807:-:::::::*
	cpe:2.3:h:vtech:80-183822:-:::::::*
	cpe:2.3:h:vtech:80-183823:-:::::::*
	cpe:2.3:h:vtech:80-183824:-:::::::*
	cpe:2.3:h:vtech:80-1838xx:-:::::::*

History

21 Nov 2024, 03:53

Type	Values Removed	Values Added
References	~~() https://www.surecloud.com/sc-blog/vtech - Exploit, Third Party Advisory~~	() https://www.surecloud.com/sc-blog/vtech - Exploit, Third Party Advisory
References	~~() https://www.vtech.com/en/our-businesses/product-support/ - Vendor Advisory~~	() https://www.vtech.com/en/our-businesses/product-support/ - Vendor Advisory

Information

Published : 2019-06-19 18:15

Updated : 2024-11-21 03:53

NVD link : CVE-2018-16618

Mitre link : CVE-2018-16618

CVE.ORG link : CVE-2018-16618

JSON object : View

Products Affected

vtech

80-183822
storio_max_firmware
80-183807
80-183805
80-183824
80-183823
80-183804
80-1838xx
80-183803

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2018-16618", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 10.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2019-06-19T18:15:10.853", "references": [{"url": "https://www.surecloud.com/sc-blog/vtech", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.vtech.com/en/our-businesses/product-support/", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.surecloud.com/sc-blog/vtech", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.vtech.com/en/our-businesses/product-support/", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "VTech Storio Max before 56.D3JM6 allows remote command execution via shell metacharacters in an Android activity name. It exposes the storeintenttranslate.x service on port 1668 listening for requests on localhost. Requests submitted to this service are checked for a string of random characters followed by the name of an Android activity to start. Activities are started by inserting their name into a string that is executed in a shell command. By inserting metacharacters this can be exploited to run arbitrary commands as root. The requests also match those of the HTTP protocol and can be triggered on any web page rendered on the device by requesting resources stored at an http://127.0.0.1:1668/ URI, as demonstrated by the http://127.0.0.1:1668/dacdb70556479813fab2d92896596eef?';{ping,example.org}' URL."}, {"lang": "es", "value": "VTech Storio Max antes de 56.D3JM6 permite la ejecuci\u00f3n remota de comandos a trav\u00e9s de metacaracteres de shell en un nombre de actividad de Android. Expone el servicio storeintenttranslate.x en el puerto 1668 que escucha las solicitudes en localhost. Las solicitudes enviadas a este servicio se verifican para una serie de caracteres aleatorios seguidos por el nombre de una actividad de Android para comenzar. Las actividades se inician insertando su nombre en una cadena que se ejecuta en un comando de shell. Al insertar metacaracteres, esto puede ser explotado para ejecutar comandos arbitrarios como root. Las solicitudes tambi\u00e9n coinciden con las del protocolo HTTP y pueden activarse en cualquier p\u00e1gina web representada en el dispositivo solicitando recursos almacenados en una URI http://127.0.0.1:1668/, como lo demuestra la http://127.0.0.1 : 1668 / dacdb70556479813fab2d92896596eef? '; {Ping, example.org}' URL"}], "lastModified": "2024-11-21T03:53:03.673", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:vtech:storio_max_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "28FC9573-A2E3-4543-9156-8B6242059FDA", "versionEndExcluding": "56.d3jm6"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:vtech:80-183803:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "043A6115-1C5F-43A8-B93D-19483A3199A7"}, {"criteria": "cpe:2.3:h:vtech:80-183804:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "03405DE1-B859-4261-BD75-E3387583E814"}, {"criteria": "cpe:2.3:h:vtech:80-183805:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "920C0E4F-D0CC-42CC-AC41-652080E8837C"}, {"criteria": "cpe:2.3:h:vtech:80-183807:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F6A0D5C0-34B9-4621-BBC9-49E40CF772BE"}, {"criteria": "cpe:2.3:h:vtech:80-183822:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "6795FA5E-0304-413C-ABD0-3629A81B695D"}, {"criteria": "cpe:2.3:h:vtech:80-183823:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "74036CF5-80E2-46E5-9082-AD6126A47CAD"}, {"criteria": "cpe:2.3:h:vtech:80-183824:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B96E2A61-E954-4572-B5A1-C4D68DDC9D71"}, {"criteria": "cpe:2.3:h:vtech:80-1838xx:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "099E1B36-3767-4982-B894-4A6055147235"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}

9.8 /10