Headline
CVE-2023-33294: KaiOS 3.0 Root CLI via TCT Web Server
An issue was discovered in KaiOS 3.0 before 3.1. The /system/bin/tctweb_server binary exposes a local web server that responds to GET and POST requests on port 2929. The server accepts arbitrary Bash commands and executes them as root. Because it is not permission or context restricted and returns proper CORS headers, it’s accessible to all websites via the browser. At a bare minimum, this allows an attacker to retrieve a list of the user’s installed apps, notifications, and downloads. It also allows an attacker to delete local files and modify system properties including the boolean persist.moz.killswitch property (which would render the device inoperable). This vulnerability is partially mitigated by SELinux which prevents reads, writes, or modifications to files or permissions within protected partitions.
CVE-2023-33294: Execute Commands as Root from KaiOS 3.0 Browser via TCT Web Server
Vendor: KaiOS Technologies Inc.
Vendor URL: https://www.kaiostech.com/
Versions affected: KaiOS 3.0
Systems Affected: KaiOS-based mobile devices
Author: Tom Barrasso
CVE Identifier: CVE-2023-33294
Risk: Critical
Summary
KaiOS is a mobile operating system based on Firefox OS. KaiOS 3.0 comes shipped with a binary, tctweb_server, exposing a local web server that responds to HTTP requests on port 2929. This server responds to GET and POST requests, accepting a application/x-www-form-urlencoded formatted request body with key-value tuples separated by '&’, with a '=’.
tctweb_server runs as root. It supports pre-defined commands for getting & setting system properties, reading & writing NV items, and reading files. It also allows for execution of user-provided bash commands. Because the server is exposed on http://127.0.0.1:2929, and it returns the header Access-Control-Allow-Origin: * with every request, it is accessible to all installed apps and websites the system browser.
Location
- Source: /system/bin/tctweb_server
Impact
Because tctweb_server runs as root, accepts arbitrary bash commands, and is accessible via the system browser, it has a very high potential for abuse. This risk is partially mitigated by SELinux enforcement. As a result, tctweb_server cannot be used to read, write, or modify files or permissions within protected partitions.
The following are examples of what can be accomplished simply by visiting a malicious website on a KaiOS 3.0 device.
- Using cmdshell=readfile to get the list of installed applications (system/b2g/webapps/webapps.json), or user profile data including notifications and downloads (folder: data/b2g/mozilla/*.default/, files: downloads.json, notifications.json)
- Modifying or deleting local files, i.e. in sdcard/
- Bricking the device by enabling the kill switch system property persist.moz.killswitch
An attacker can make XMLHttpRequest or fetch requests to http://127.0.0.1:2929 with parameters to run commands as root. In this simple example, the contents of the build.prop file are displayed on screen. let xhr = new XMLHttpRequest(); xhr.open('POST’, 'http://127.0.0.1:2929’, true); xhr.send(‘cmd=bash&cmdshell=readfile&filename=system/build.prop’);
Recommendation
Given the strong potential for abuse, the tctweb_server binary should either be permission-restricted to only certified apps or removed altogether. Analysis of builds from the Nokia 2780 Flip suggests that tctweb_server was removed in KaiOS 3.1.
Demo
This demo displays the contents of build.prop on sceen.
KaiOS Version:
build.prop
Vendor Communication Timeline
- 5/2/23: Tom emailed [email protected] asking for PGP key used for secure communication.
- 5/5/23: Tom disclosed issues to KaiOS Technologies.
- 5/8/23: KaiOS Technologies acknowledged this issue.
- 5/15/23: Tom asked for the current remediation status.