CVE-2018-14998 - OpenCVE

The Leagoo P1 Android device with a build fingerprint of sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contains a hidden root privilege escalation capability to achieve command execution as the root user. They have made modifications that allow a user with physical access to the device to obtain a root shell via ADB by modifying read-only system properties at runtime. Specifically, modifying the ro.debuggable and the ro.secure system properties to a certain value and then restarting the ADB daemon allows for a root shell to be obtained via ADB.

No CVSS v3.1

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Leagoo	P1 Firmware P1

Configuration 1 [-]

AND

cpe:2.3:o:leagoo:p1_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:leagoo:p1:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.kryptowire.com/portal/android-firmware-defcon-2018/	Third Party Advisory
https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf	Exploit Technical Description Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2018-12-28T21:00:00

Updated: 2018-12-28T20:57:01

Reserved: 2018-08-05T00:00:00

Link: CVE-2018-14998

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-12-28T21:29:00.747

Modified: 2019-10-03T00:03:26.223

Link: CVE-2018-14998

JSON object: View

Redhat Information

No data.

CWE

CWE-78

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-08-14T00:00:00", "descriptions": [{"lang": "en", "value": "The Leagoo P1 Android device with a build fingerprint of sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contains a hidden root privilege escalation capability to achieve command execution as the root user. They have made modifications that allow a user with physical access to the device to obtain a root shell via ADB by modifying read-only system properties at runtime. Specifically, modifying the ro.debuggable and the ro.secure system properties to a certain value and then restarting the ADB daemon allows for a root shell to be obtained via ADB."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-12-28T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf"}, {"tags": ["x_refsource_MISC"], "url": "https://www.kryptowire.com/portal/android-firmware-defcon-2018/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-14998", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Leagoo P1 Android device with a build fingerprint of sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contains a hidden root privilege escalation capability to achieve command execution as the root user. They have made modifications that allow a user with physical access to the device to obtain a root shell via ADB by modifying read-only system properties at runtime. Specifically, modifying the ro.debuggable and the ro.secure system properties to a certain value and then restarting the ADB daemon allows for a root shell to be obtained via ADB."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf", "refsource": "MISC", "url": "https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf"}, {"name": "https://www.kryptowire.com/portal/android-firmware-defcon-2018/", "refsource": "MISC", "url": "https://www.kryptowire.com/portal/android-firmware-defcon-2018/"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-14998", "datePublished": "2018-12-28T21:00:00", "dateReserved": "2018-08-05T00:00:00", "dateUpdated": "2018-12-28T20:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:leagoo:p1_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "763DCF92-A6B0-4F8B-811D-BFD19EA8997C", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:leagoo:p1:-:*:*:*:*:*:*:*", "matchCriteriaId": "8D4C52CD-08EB-444C-8971-E9E6DEB0B15A", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The Leagoo P1 Android device with a build fingerprint of sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contains a hidden root privilege escalation capability to achieve command execution as the root user. They have made modifications that allow a user with physical access to the device to obtain a root shell via ADB by modifying read-only system properties at runtime. Specifically, modifying the ro.debuggable and the ro.secure system properties to a certain value and then restarting the ADB daemon allows for a root shell to be obtained via ADB."}, {"lang": "es", "value": "El dispositivo Android \"Leagoo P1\" con una huella de build de sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contiene una capacidad de escalado de privilegios root escondida para lograr la ejecuci\u00f3n de comandos como el usuario root. Se han realizado modificaciones que permiten a usuarios con acceso f\u00edsico al dispositivo obtener un shell root mediante ADB, modificando las propiedades de sistema, del tipo solo lectura, en tiempo de ejecuci\u00f3n. Espec\u00edficamente, la modificaci\u00f3n de las propiedades de sistema ro.debuggable y ro.secure a un determinado valor y el reinicio del demonio ADB permite la obtenci\u00f3n de un shell root mediante ADB."}], "id": "CVE-2018-14998", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-12-28T21:29:00.747", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.kryptowire.com/portal/android-firmware-defcon-2018/"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Technical Description", "Third Party Advisory"], "url": "https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}