Headline
CVE-2023-28885: GitHub - zj3t/GM_Vulnerability: Vulnerability Report
The MyLink infotainment system (build 2021.3.26) in General Motors Chevrolet Equinox 2021 vehicles allows attackers to cause a denial of service (temporary failure of Media Player functionality) via a crafted MP3 file.
Chevrolet Equinox Media Player’s DoS vulnerability****Summary
I made an effort to find vulnerabilities in the infotainment system of a 2021 Chevrolet Equinox vehicle. I created a testcase for Chevrolet Equinox’s media player and performed fuzzing. The Chevrolet Equinox’s system was up to date and was built on 2021.03.26.
Since the Chevrolet Equinox’s infotainment system was based on Android, it was difficult to play malicious media files created by the fuzzer (most media files are not recognized by the system).
Therefore, I developed a bit-flipping fuzzer and efficiently fuzzed the media player by minimizing file damage. As a result, the Chevrolet Equinox’s media player crashed.
DEMO #1****DEMO #2
It seemed difficult to use the media player without removing the USB.
Impact
When a USB is inserted into the port, the media file is automatically played and the Chevrolet Equinox’s media player is forcibly terminated. This can be a problem with availability. Furthermore, if the crash is caused by a memory-related bug (such as Overflow, OOB, Over Read/Write), it can lead to serious security issues such as Remote Code Execution. Therefore, if you can analyze the controller of Chevrolet Equinox and dump the crash of the media player, you may be able to identify the cause of the vulnerability.
Response to GM
- On February 22, 2023, I reported a vulnerability in the media player to GM.
- The response from GM was as follows.