mirror of
https://github.com/fkie-cad/nvd-json-data-feeds.git
synced 2025-05-28 17:21:36 +00:00
276 lines
11 KiB
JSON
276 lines
11 KiB
JSON
{
|
|
"id": "CVE-2021-41848",
|
|
"sourceIdentifier": "cve@mitre.org",
|
|
"published": "2022-03-11T23:15:08.840",
|
|
"lastModified": "2024-11-21T06:26:53.853",
|
|
"vulnStatus": "Modified",
|
|
"cveTags": [],
|
|
"descriptions": [
|
|
{
|
|
"lang": "en",
|
|
"value": "An issue was discovered in Luna Simo PPR1.180610.011/202001031830. It mishandles software updates such that local third-party apps can provide a spoofed software update file that contains an arbitrary shell script and arbitrary ARM binary, where both will be executed as the root user with an SELinux domain named osi. To exploit this vulnerability, a local third-party app needs to have write access to external storage to write the spoofed update at the expected path. The vulnerable system binary (i.e., /system/bin/osi_bin) does not perform any authentication of the update file beyond ensuring that it is encrypted with an AES key (that is hard-coded in the vulnerable system binary). Processes executing with the osi SELinux domain can programmatically perform the following actions: install apps, grant runtime permissions to apps (including permissions with protection levels of dangerous and development), access extensive Personally Identifiable Information (PII) using the programmatically grant permissions, uninstall apps, set the default launcher app to a malicious launcher app that spoofs other apps, set a network proxy to intercept network traffic, unload kernel modules, set the default keyboard to a keyboard that has keylogging functionality, examine notification contents, send text messages, and more. The spoofed update can optionally contain an arbitrary ARM binary that will be locally stored in internal storage and executed at system startup to achieve persistent code execution as the root user with the osi SELinux domain. This ARM binary will continue to execute at startup even if the app that provided the spoofed update is uninstalled."
|
|
},
|
|
{
|
|
"lang": "es",
|
|
"value": "Se ha detectado un problema en Luna Simo versi\u00f3n PPR1.180610.011/202001031830. Maneja inapropiadamente las actualizaciones de software de tal manera que las aplicaciones locales de terceros pueden proporcionar un archivo de actualizaci\u00f3n de software falsificado que contenga un script de shell arbitrario y un binario ARM arbitrario, donde ambos ser\u00e1n ejecutados como el usuario root con un dominio SELinux llamado osi. Para explotar esta vulnerabilidad, una aplicaci\u00f3n local de terceros necesita tener acceso de escritura al almacenamiento externo para escribir la actualizaci\u00f3n falsa en la ruta esperada. El binario del sistema vulnerable (es decir, /system/bin/osi_bin) no lleva a cabo ninguna autenticaci\u00f3n del archivo de actualizaci\u00f3n m\u00e1s all\u00e1 de asegurarse de que est\u00e1 cifrado con una clave AES (que est\u00e1 embebida en el binario del sistema vulnerable). Los procesos que son ejecutados con el dominio osi SELinux pueden llevar a cabo de forma programada las siguientes acciones instalar aplicaciones, conceder permisos de ejecuci\u00f3n a las aplicaciones (incluidos los permisos con niveles de protecci\u00f3n peligrosos y de desarrollo), acceder a una amplia informaci\u00f3n de identificaci\u00f3n personal (PII) usando los permisos concedidos mediante programaci\u00f3n, desinstalar aplicaciones, establecer la aplicaci\u00f3n de inicio por defecto a una aplicaci\u00f3n de inicio maliciosa que falsifica otras aplicaciones, establecer un proxy de red para interceptar el tr\u00e1fico de red, descargar m\u00f3dulos del n\u00facleo, establecer el teclado por defecto a un teclado que presenta funcionalidad de registro de teclas, examinar el contenido de las notificaciones, enviar mensajes de texto, y m\u00e1s. La actualizaci\u00f3n falsa puede contener opcionalmente un binario ARM arbitrario que ser\u00e1 almacenado localmente en el almacenamiento interno y ser\u00e1 ejecutado al iniciar el sistema para lograr la ejecuci\u00f3n persistente de c\u00f3digo como usuario root con el dominio osi SELinux. Este binario ARM continuar\u00e1 ejecut\u00e1ndose al iniciar el sistema incluso si la aplicaci\u00f3n que proporcion\u00f3 la actualizaci\u00f3n falsa es desinstalada"
|
|
}
|
|
],
|
|
"metrics": {
|
|
"cvssMetricV31": [
|
|
{
|
|
"source": "nvd@nist.gov",
|
|
"type": "Primary",
|
|
"cvssData": {
|
|
"version": "3.1",
|
|
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
|
|
"baseScore": 7.8,
|
|
"baseSeverity": "HIGH",
|
|
"attackVector": "LOCAL",
|
|
"attackComplexity": "LOW",
|
|
"privilegesRequired": "LOW",
|
|
"userInteraction": "NONE",
|
|
"scope": "UNCHANGED",
|
|
"confidentialityImpact": "HIGH",
|
|
"integrityImpact": "HIGH",
|
|
"availabilityImpact": "HIGH"
|
|
},
|
|
"exploitabilityScore": 1.8,
|
|
"impactScore": 5.9
|
|
}
|
|
],
|
|
"cvssMetricV2": [
|
|
{
|
|
"source": "nvd@nist.gov",
|
|
"type": "Primary",
|
|
"cvssData": {
|
|
"version": "2.0",
|
|
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
|
|
"baseScore": 7.2,
|
|
"accessVector": "LOCAL",
|
|
"accessComplexity": "LOW",
|
|
"authentication": "NONE",
|
|
"confidentialityImpact": "COMPLETE",
|
|
"integrityImpact": "COMPLETE",
|
|
"availabilityImpact": "COMPLETE"
|
|
},
|
|
"baseSeverity": "HIGH",
|
|
"exploitabilityScore": 3.9,
|
|
"impactScore": 10.0,
|
|
"acInsufInfo": false,
|
|
"obtainAllPrivilege": false,
|
|
"obtainUserPrivilege": false,
|
|
"obtainOtherPrivilege": false,
|
|
"userInteractionRequired": false
|
|
}
|
|
]
|
|
},
|
|
"weaknesses": [
|
|
{
|
|
"source": "nvd@nist.gov",
|
|
"type": "Primary",
|
|
"description": [
|
|
{
|
|
"lang": "en",
|
|
"value": "CWE-798"
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"configurations": [
|
|
{
|
|
"operator": "AND",
|
|
"nodes": [
|
|
{
|
|
"operator": "OR",
|
|
"negate": false,
|
|
"cpeMatch": [
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:o:bluproducts:g90_firmware:-:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "B003884D-03B5-4E27-A506-22A36E0334A2"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"operator": "OR",
|
|
"negate": false,
|
|
"cpeMatch": [
|
|
{
|
|
"vulnerable": false,
|
|
"criteria": "cpe:2.3:h:bluproducts:g90:-:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "8E152DA2-58DC-499B-AD5C-C54B6F7F9EA6"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"operator": "AND",
|
|
"nodes": [
|
|
{
|
|
"operator": "OR",
|
|
"negate": false,
|
|
"cpeMatch": [
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:o:bluproducts:g9_firmware:-:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "CA87E8FB-2312-4C36-8E99-9FC13249FF96"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"operator": "OR",
|
|
"negate": false,
|
|
"cpeMatch": [
|
|
{
|
|
"vulnerable": false,
|
|
"criteria": "cpe:2.3:h:bluproducts:g9:-:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "84252BD6-08BF-4591-BB70-159AEC3F5526"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"operator": "AND",
|
|
"nodes": [
|
|
{
|
|
"operator": "OR",
|
|
"negate": false,
|
|
"cpeMatch": [
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:o:wikomobile:tommy_3_firmware:-:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "0998AB21-51AF-44F1-AB64-DAA2F6994255"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"operator": "OR",
|
|
"negate": false,
|
|
"cpeMatch": [
|
|
{
|
|
"vulnerable": false,
|
|
"criteria": "cpe:2.3:h:wikomobile:tommy_3:-:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "6DFAA033-25DC-4C58-862A-DB52E38053E5"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"operator": "AND",
|
|
"nodes": [
|
|
{
|
|
"operator": "OR",
|
|
"negate": false,
|
|
"cpeMatch": [
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:o:wikomobile:tommy_3_plus_firmware:-:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "D0D3D7AB-AABF-4BDA-88C8-6BA9A7D683C1"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"operator": "OR",
|
|
"negate": false,
|
|
"cpeMatch": [
|
|
{
|
|
"vulnerable": false,
|
|
"criteria": "cpe:2.3:h:wikomobile:tommy_3_plus:-:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "AF14B073-3785-4B54-96F2-DE5C8AD50019"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"operator": "AND",
|
|
"nodes": [
|
|
{
|
|
"operator": "OR",
|
|
"negate": false,
|
|
"cpeMatch": [
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:o:luna:simo_firmware:-:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "57816BEB-1BBE-489D-B6B0-BA24E21D6F7D"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"operator": "OR",
|
|
"negate": false,
|
|
"cpeMatch": [
|
|
{
|
|
"vulnerable": false,
|
|
"criteria": "cpe:2.3:h:luna:simo:-:*:*:*:*:*:*:*",
|
|
"matchCriteriaId": "0AD9D06F-E7A7-4453-813D-B7A3FD544F1A"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"references": [
|
|
{
|
|
"url": "https://athack.com/session-details/401",
|
|
"source": "cve@mitre.org",
|
|
"tags": [
|
|
"Third Party Advisory"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://simowireless.com/",
|
|
"source": "cve@mitre.org",
|
|
"tags": [
|
|
"Vendor Advisory"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://www.kryptowire.com/android-firmware-2022/",
|
|
"source": "cve@mitre.org",
|
|
"tags": [
|
|
"Broken Link"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://www.kryptowire.com/blog/vsim-vulnerability-within-simo-android-phones-exposed/",
|
|
"source": "cve@mitre.org",
|
|
"tags": [
|
|
"Exploit",
|
|
"Third Party Advisory"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://athack.com/session-details/401",
|
|
"source": "af854a3a-2127-422b-91ae-364da2661108",
|
|
"tags": [
|
|
"Third Party Advisory"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://simowireless.com/",
|
|
"source": "af854a3a-2127-422b-91ae-364da2661108",
|
|
"tags": [
|
|
"Vendor Advisory"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://www.kryptowire.com/android-firmware-2022/",
|
|
"source": "af854a3a-2127-422b-91ae-364da2661108",
|
|
"tags": [
|
|
"Broken Link"
|
|
]
|
|
},
|
|
{
|
|
"url": "https://www.kryptowire.com/blog/vsim-vulnerability-within-simo-android-phones-exposed/",
|
|
"source": "af854a3a-2127-422b-91ae-364da2661108",
|
|
"tags": [
|
|
"Exploit",
|
|
"Third Party Advisory"
|
|
]
|
|
}
|
|
]
|
|
} |