CVE-2023-40930: CVE-2023-40930

CVE-2023-40930

Raw

CVE-2023-40930

[CVE ID]

CVE-2023-40930

[PRODUCT]

skyworth_3.0 OS

[kERNEL VERSION]

android11-2-g80d76e2fee26-dirty

[PROBLEM TYPE]

Directory Traversal

[DESCRIPTION]

Skywoth_3.0 OS has the same question as CVE-2018-9445 , attacker can use a special Udisk to attack devices which use this OS

[REPETITION ENVIROMENT]

https://github.com/NSnidie/CVE-2023-40930

Copy link

Author

**

NSnidie commented

Sep 19, 2023

**

[ISSUE DETAILS]
The issue comes from “/system/bin/blkid”
Use the tool “checksec” to know it’s arch:

And we can use ida to reverse this elf:

The picture above shows the issue in function "print_tags", the “strncmp” returns 0 if the string is “LABEL” , so if the field is “LABEL=xxxxx", it will fputs any char in xxxxx to stdout whitout igonring the ‘"’ . So if we replace the string ' UUID =…/a"’ as xxxxx , it will make the final blkid out string LABEL=” UUID="…/a":

Then if we plug this Udisk into USB,it will cause Directory Traversal:

Nomally the Udisk would be mounted to /mnt/usb/ , but this time it is mounted to /mnt/ causing the Directory Traversal

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment