CVE-2018-15002

Severity Score

4.7

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The Vivo V7 device with a build fingerprint of vivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys allows any app co-located on the device to set system properties as the com.android.phone user. The com.qualcomm.qti.modemtestmode app (versionCode=25, versionName=7.1.2) that contains an exported service named com.qualcomm.qti.modemtestmode.MbnTestService that allows any app co-located on the device to provide key-value pairs to set certain system properties. Notably, system properties with the persist.* prefix can be set which will survive a reboot. On the Vivo V7 device, when the persist.sys.input.log property is set to have a value of yes, the user's screen touches be written to the logcat log by the InputDispatcher for all apps. The system-wide logcat log can be obtained from external storage via a different known vulnerability on the device. The READ_EXTERNAL_STORAGE permission is necessary to access the log files containing the user's touch coordinates. With some effort, the user's touch coordinates can be mapped to key presses on a keyboard.

El dispositivo Vivo V7 con una huella digital de vivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys permite que cualquier app ubicada en el dispositivo establezca propiedades del sistema como el usuario com.android.phone. La app com.qualcomm.qti.modemtestmode (versionCode=25, versionName=7.1.2) que contiene un servicio exportado llamado com.qualcomm.qti.modemtestmode.MbnTestService permite que cualquier app ubicada en el dispositivo proporcione pares de valores de clave para configurar ciertas propiedades del sistema. Notablemente, las propiedades del sistema con el prefijo persist.* pueden configurarse, lo que sobrevivirá a un reinicio. En el dispositivo Vivo V7, cuando la propiedad persist.sys.input.log está configurada para que tenga un valor "yes", los toques en la pantalla del usuario se escriben en el registro logcat por el InputDispatcher para todas las apps. El registro del sistema logcat puede ser obtenido desde el almacenamiento externo mediante otra vulnerabilidad conocida en el dispositivo. El permiso READ_EXTERNAL_STORAGE es necesario para acceder a los archivos de registro que contienen las coordenadas de toque del usuario. Con algún esfuerzo, las coordenadas de toque del usuario pueden mapearse a pulsaciones de tecla en un teclado.

*Credits: N/A

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-08-05 CVE Reserved
2018-12-28 CVE Published
2023-03-08 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-532: Insertion of Sensitive Information into Log File

CAPEC

References (2)

URL	Tag	Source
https://www.kryptowire.com/portal/android-firmware-defcon-2018	Third Party Advisory
https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Vivo Search vendor "Vivo"	V7 Firmware Search vendor "Vivo" for product "V7 Firmware"	7.1.2 Search vendor "Vivo" for product "V7 Firmware" and version "7.1.2"	-	Affected	in	Vivo Search vendor "Vivo"	V7 Search vendor "Vivo" for product "V7"	-	-	Safe