Headline
CVE-2023-34733: Automotive-vulnerabilities/VW/jetta2021 at main · zj3t/Automotive-vulnerabilities
A lack of exception handling in the Volkswagen Discover Media Infotainment System Software Version 0876 allows attackers to cause a Denial of Service (DoS) via supplying crafted media files when connecting a device to the vehicle’s USB plug and play feature.
Volkswagen Jetta (2021) Infotainment System Vulnerability Report
I reported a vulnerability to “https://www.volkswagen.de/de/mehr/rechtliches/kontakt-cyber-security.html”
Time and date of discovery
2023.02.28 (Korea Standard Time)
Target****Product Model
Volkswagen Jetta 2021
Version
It was the latest version as of February 28, 2023.
Discover Media(infotainment system of VW) software : 0876
Media codec : 1.2.0
Technical Description
A vulnerability exists in Volkswagen’s Infotainment System(Discover Media). I attempted media file fuzzing to find vulnerabilities in Volkswagen’s infotainment system.
To automate the fuzzing process(Because transferring files to a USB stick is time consuming), I connected my laptop to Volkswagen’s USB port and generated numerous media files with a fuzzer. I then continuously performed real-time media fuzzing by mounting and unmounting the files. I conducted fuzzing on various types of media files such as WAV, MP3, WMA, and OGG, and discovered that the vulnerability existed in a malicious (mutated) OGG file. Since Volkswagen’s media player was more robust than expected, I created a separate media file fuzzer specifically for Volkswagen’s infotainment system. I fuzzed more than 20,000 media files per day, and discovered the vulnerability in the OGG file after one day of fuzzing.
Result
Volkswagen’s infotainment system has a USB Plug and Play feature, which means that media files stored on a USB drive will automatically play when inserted into the system. I identified a media file through fuzzing that could trigger vulnerabilities in the infotainment system, and proved this by using a USB stick. As a result, Volkswagen’s infotainment system did not turn on again after being turned off.
The issue persisted even after turning off and on the engine(Even removing the USB drive did not resolve the issue with the infotainment system not turning on again.), and manual reboot of the infotainment system was required to resolve the issue.
DEMO #1PoC.of.VW.1.1.1.mp4DEMO #21.Volkswagen_USBstick.mp4Impact
When a USB is inserted into the port, the media file is automatically played and the Infotainment System is forcibly terminated. This can be a problem with availability. Furthermore, if the crash is caused by a memory-related bug (such as Overflow, OOB, Over Read/Write), it can lead to serious security issues such as Remote Code Execution. Therefore, if you can analyze the crash of the media player, you may be able to identify the cause of the vulnerability.
Volkswagen’s response
Volkswagen acknowledged the report as a vulnerability