CVE-2022-24936 GBL parser out-of-bounds error allows attacker to overwrite flash Sign key and OTA decryption key.
Attackers can exploit this vulnerability by sending malicious upgrade requests via HTTP POST requests. An attacker can send upgrade requests to the following URL and get upgrade responses with the attacker’s signed keys: /upgrade/?signKey=malicious key>&OTA_Decrypt_Key=malicious key>&bootLoaderId=malicious bootloader id> where malicious key> and malicious bootloader id> are the keys for signing and encrypting the OTA. An attacker can also send malicious upgrade requests via HTTP POST requests to the following URL: /upgrade/?signKey=malicious key>&OTA_Decrypt_Key=malicious key>&bootLoaderId=malicious bootloader id>&url=URL of target app> where URL of target app> is the URL of an application that is vulnerable to this vulnerability. In the above examples, malicious key> and malicious bootloader id> are the keys for signing and encrypting the OTA. An attacker can also send upgrade requests to the following URL: /upgrade/?signKey=malicious key>&OTA_Decrypt_Key=malicious key>&bootLoaderId=malicious bootloader id>&url=URL of target app>&appPackage=malicious app package> where URL of target app> is the URL of an application that is vulnerable to
Attackers can exploit this vulnerability by sending upgrade requests to the following URL
Attackers can exploit this vulnerability by sending upgrade requests to the following URL: /upgrade/?signKey=malicious key>&OTA_Decrypt_Key=malicious key>&bootLoaderId=malicious bootloader id>&url=URL of target app> where URL of target app> is the URL of an application that is vulnerable to this vulnerability. In the above examples, malicious key> and malicious bootloader id> are the keys for signing and encrypting the OTA. An attacker can also send upgrade requests to the following URL: /upgrade/?signKey=malicious key>&OTA_Decrypt_Key=malicious key>&bootLoaderId=malicious bootloader id>&url=URL of target app>&appPackage=malicious app package> where URL of target app> is the URL of an application that is vulnerable to this vulnerability.
Vulnerability details
On July 29, 2017, a vulnerability was found that allows attackers to upgrade applications without the user's consent. An attacker can exploit this vulnerability by sending malicious upgrade requests via HTTP POST requests to the following URL: /upgrade/?signKey=malicious key>&OTA_Decrypt_Key=malicious key>&bootLoaderId=malicious bootloader id>&url=URL of target app> where URL of target app> is the URL of an application that is vulnerable to this vulnerability.
Timeline
Published on: 11/02/2022 18:15:00 UTC
Last modified on: 11/03/2022 16:41:00 UTC