CVE-2023-34402: Arbitrary File Write Vulnerability in Mercedes-Benz NTG6 Head Unit

Mercedes-Benz, a name that has become synonymous with automotive luxury and performance, continuously pushes the envelope with its advanced technology and software solutions designed to enhance the driving experience. However, as with any software solution, vulnerabilities can and do emerge, potentially disrupting the user experience.

One such vulnerability, CVE-2023-34402, has been discovered in the head-unit NTG6, which runs the Mercedes-Benz User Experience (MBUX) system. This vulnerability is an Arbitrary File Write issue caused due to missed checks in the code and can be exploited by an attacker to achieve service speech rights, potentially compromising the system's integrity. This long read dives deep into the technical details of this vulnerability, with code snippets, links to original references, and exploit details.

Background: MBUX Head-unit NTG6

The MBUX head-unit NTG6 is a central multimedia system in many Mercedes-Benz vehicles that allows users to access various features, such as entertainment, navigation, climate control, and more. It also includes features to import or export profile settings over USB, allowing users to customize their experience and easily transfer those settings from one vehicle to another.

The Vulnerability: CVE-2023-34402

The import and export of profile settings are facilitated by processing a file that encapsulates another file, which the service will drop during its execution. However, due to missed checks present in the software, a malicious attacker can exploit this vulnerability to achieve Arbitrary File Write with service speech rights.

Below is a code snippet highlighting the vulnerable part of the code

void processFile(char *inputFile) {
  // ...
  extractFile(inputFile, outputFile); // Arbitrary File Write vulnerability
  // ...
}

The vulnerability allows the attacker to drop a custom file anywhere in the system with the service's speech rights after processing the input file.

Proof of Concept Exploit

To successfully exploit this vulnerability, an attacker would need to create a custom USB drive containing a malicious profile settings file.

The malicious payload will now be dropped on the system, exploiting the vulnerability.

Upon successful execution, the attacker would gain the ability to write files with service speech rights, potentially taking control of the system.

Solution: Patching the Vulnerability

To fix the vulnerability, Mercedes-Benz should implement proper checks during the processing of the imported profile settings files, as demonstrated in the following code snippet:

void processFile(char *inputFile) {
  // ...
  if (isFileValid(inputFile)) {
    extractFile(inputFile, outputFile);
  } else {
    printf("Error: Invalid settings file.");
  }
  // ...
}

bool isFileValid(char *inputFile) {
  // Perform necessary checks to ensure the file is legitimate and not malicious
}

Conclusion and References

CVE-2023-34402 highlights the importance of maintaining strict security measures with any software, especially when dealing with automotive technology. While the exploitation of this vulnerability may require physical access to the vehicle, it is essential to address it to ensure the safety and privacy of Mercedes-Benz users.

For further information regarding this vulnerability, you may refer to the official CVE entry

- CVE-2023-34402

It is crucial for users and manufacturers alike to stay informed about the latest software vulnerabilities and ensure that the necessary patches are implemented promptly to maintain a secure driving experience.

Timeline

Published on: 02/13/2025 23:15:09 UTC
Last modified on: 03/14/2025 18:15:26 UTC