CVE-2018-16618 - OpenCVE

VTech Storio Max before 56.D3JM6 allows remote command execution via shell metacharacters in an Android activity name. It exposes the storeintenttranslate.x service on port 1668 listening for requests on localhost. Requests submitted to this service are checked for a string of random characters followed by the name of an Android activity to start. Activities are started by inserting their name into a string that is executed in a shell command. By inserting metacharacters this can be exploited to run arbitrary commands as root. The requests also match those of the HTTP protocol and can be triggered on any web page rendered on the device by requesting resources stored at an http://127.0.0.1:1668/ URI, as demonstrated by the http://127.0.0.1:1668/dacdb70556479813fab2d92896596eef?';{ping,example.org}' URL.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Vtech	80-183807 Storio Max Firmware 80-183805 80-183823 80-183822 80-183804 80-183824 80-183803 80-1838xx

Configuration 1 [-]

AND

cpe:2.3:o:vtech:storio_max_firmware:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:vtech:80-183803:-:::::::*
	cpe:2.3:h:vtech:80-183804:-:::::::*
	cpe:2.3:h:vtech:80-183805:-:::::::*
	cpe:2.3:h:vtech:80-183807:-:::::::*
	cpe:2.3:h:vtech:80-183822:-:::::::*
	cpe:2.3:h:vtech:80-183823:-:::::::*
	cpe:2.3:h:vtech:80-183824:-:::::::*
	cpe:2.3:h:vtech:80-1838xx:-:::::::*

References

Link	Resource
https://www.surecloud.com/sc-blog/vtech	Exploit Third Party Advisory
https://www.vtech.com/en/our-businesses/product-support/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-06-19T17:48:14

Updated: 2019-06-19T17:48:14

Reserved: 2018-09-06T00:00:00

Link: CVE-2018-16618

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-06-19T18:15:10.853

Modified: 2020-08-24T17:37:01.140

Link: CVE-2018-16618

JSON object: View

Redhat Information

No data.

CWE

CWE-78

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "VTech Storio Max before 56.D3JM6 allows remote command execution via shell metacharacters in an Android activity name. It exposes the storeintenttranslate.x service on port 1668 listening for requests on localhost. Requests submitted to this service are checked for a string of random characters followed by the name of an Android activity to start. Activities are started by inserting their name into a string that is executed in a shell command. By inserting metacharacters this can be exploited to run arbitrary commands as root. The requests also match those of the HTTP protocol and can be triggered on any web page rendered on the device by requesting resources stored at an http://127.0.0.1:1668/ URI, as demonstrated by the http://127.0.0.1:1668/dacdb70556479813fab2d92896596eef?';{ping,example.org}' URL."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-06-19T17:48:14", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.vtech.com/en/our-businesses/product-support/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.surecloud.com/sc-blog/vtech"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-16618", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "VTech Storio Max before 56.D3JM6 allows remote command execution via shell metacharacters in an Android activity name. It exposes the storeintenttranslate.x service on port 1668 listening for requests on localhost. Requests submitted to this service are checked for a string of random characters followed by the name of an Android activity to start. Activities are started by inserting their name into a string that is executed in a shell command. By inserting metacharacters this can be exploited to run arbitrary commands as root. The requests also match those of the HTTP protocol and can be triggered on any web page rendered on the device by requesting resources stored at an http://127.0.0.1:1668/ URI, as demonstrated by the http://127.0.0.1:1668/dacdb70556479813fab2d92896596eef?';{ping,example.org}' URL."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.vtech.com/en/our-businesses/product-support/", "refsource": "MISC", "url": "https://www.vtech.com/en/our-businesses/product-support/"}, {"name": "https://www.surecloud.com/sc-blog/vtech", "refsource": "MISC", "url": "https://www.surecloud.com/sc-blog/vtech"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-16618", "datePublished": "2019-06-19T17:48:14", "dateReserved": "2018-09-06T00:00:00", "dateUpdated": "2019-06-19T17:48:14", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:vtech:storio_max_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "28FC9573-A2E3-4543-9156-8B6242059FDA", "versionEndExcluding": "56.d3jm6", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:vtech:80-183803:-:*:*:*:*:*:*:*", "matchCriteriaId": "043A6115-1C5F-43A8-B93D-19483A3199A7", "vulnerable": false}, {"criteria": "cpe:2.3:h:vtech:80-183804:-:*:*:*:*:*:*:*", "matchCriteriaId": "03405DE1-B859-4261-BD75-E3387583E814", "vulnerable": false}, {"criteria": "cpe:2.3:h:vtech:80-183805:-:*:*:*:*:*:*:*", "matchCriteriaId": "920C0E4F-D0CC-42CC-AC41-652080E8837C", "vulnerable": false}, {"criteria": "cpe:2.3:h:vtech:80-183807:-:*:*:*:*:*:*:*", "matchCriteriaId": "F6A0D5C0-34B9-4621-BBC9-49E40CF772BE", "vulnerable": false}, {"criteria": "cpe:2.3:h:vtech:80-183822:-:*:*:*:*:*:*:*", "matchCriteriaId": "6795FA5E-0304-413C-ABD0-3629A81B695D", "vulnerable": false}, {"criteria": "cpe:2.3:h:vtech:80-183823:-:*:*:*:*:*:*:*", "matchCriteriaId": "74036CF5-80E2-46E5-9082-AD6126A47CAD", "vulnerable": false}, {"criteria": "cpe:2.3:h:vtech:80-183824:-:*:*:*:*:*:*:*", "matchCriteriaId": "B96E2A61-E954-4572-B5A1-C4D68DDC9D71", "vulnerable": false}, {"criteria": "cpe:2.3:h:vtech:80-1838xx:-:*:*:*:*:*:*:*", "matchCriteriaId": "099E1B36-3767-4982-B894-4A6055147235", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "VTech Storio Max before 56.D3JM6 allows remote command execution via shell metacharacters in an Android activity name. It exposes the storeintenttranslate.x service on port 1668 listening for requests on localhost. Requests submitted to this service are checked for a string of random characters followed by the name of an Android activity to start. Activities are started by inserting their name into a string that is executed in a shell command. By inserting metacharacters this can be exploited to run arbitrary commands as root. The requests also match those of the HTTP protocol and can be triggered on any web page rendered on the device by requesting resources stored at an http://127.0.0.1:1668/ URI, as demonstrated by the http://127.0.0.1:1668/dacdb70556479813fab2d92896596eef?';{ping,example.org}' URL."}, {"lang": "es", "value": "VTech Storio Max antes de 56.D3JM6 permite la ejecuci\u00f3n remota de comandos a trav\u00e9s de metacaracteres de shell en un nombre de actividad de Android. Expone el servicio storeintenttranslate.x en el puerto 1668 que escucha las solicitudes en localhost. Las solicitudes enviadas a este servicio se verifican para una serie de caracteres aleatorios seguidos por el nombre de una actividad de Android para comenzar. Las actividades se inician insertando su nombre en una cadena que se ejecuta en un comando de shell. Al insertar metacaracteres, esto puede ser explotado para ejecutar comandos arbitrarios como root. Las solicitudes tambi\u00e9n coinciden con las del protocolo HTTP y pueden activarse en cualquier p\u00e1gina web representada en el dispositivo solicitando recursos almacenados en una URI http://127.0.0.1:1668/, como lo demuestra la http://127.0.0.1 : 1668 / dacdb70556479813fab2d92896596eef? '; {Ping, example.org}' URL"}], "id": "CVE-2018-16618", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-06-19T18:15:10.853", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.surecloud.com/sc-blog/vtech"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.vtech.com/en/our-businesses/product-support/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}