CVE-2018-15006

Severity Score

5.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The ZTE ZMAX Champ Android device with a build fingerprint of ZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys contains a pre-installed platform app with a package name of com.android.zte.hiddenmenu (versionCode=23, versionName=6.0.1) that contains an exported broadcast receiver app component named com.android.zte.hiddenmenu.CommandReceiver that is accessible to any app co-located on the device. This app component, when it receives a broadcast intent with a certain action string, will write a non-standard (i.e., not defined in Android Open Source Project (AOSP) code) command to the /cache/recovery/command file to be executed in recovery mode. Once the device boots into recovery mode, it will crash, boot into recovery mode, and crash again. This crash loop will keep repeating, which makes the device unusable. There is no way to boot into an alternate mode once the crash loop starts.

El dispositivo Android ZTE ZMAX Champ con una huella digital ZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys contiene una aplicación preinstalada, cuyo paquete se denomina com.android.zte.hiddenmenu (versionCode=23, versionName=6.0.1) con un componente de app de recibidor de transmisiones exportado llamado com.android.zte.hiddenmenu.CommandReceiver que es accesible a cualquier app que también esté en el dispositivo. Este componente de la app, cuando recibe un intent de transmisión con cierta cadena de acción, escribirá un comando no estándar (esto es, no definido en el código AOSP o Android Open Source Project) en el archivo /cache/recovery/command para que sea ejecutado en modo recovery. Una vez el dispositivo arranca en modo recovery, se cerrará inesperadamente, arrancará en modo recovery y se cerrará inesperadamente de nuevo. Este bucle de cierres inesperados seguirá repitiéndose, lo que hace que el dispositivo no pueda ser empleado. No hay forma de arrancar en un modo alternativo una vez comienza este bucle de cierres inesperados.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-08-05 CVE Reserved
2018-12-28 CVE Published
2024-01-09 EPSS Updated
2024-08-05 CVE Updated
2024-08-05 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CAPEC

References (3)

URL	Tag	Source
http://www.securityfocus.com/bid/106361	Third Party Advisory
https://www.kryptowire.com/portal/android-firmware-defcon-2018	Third Party Advisory

URL	Date	SRC
https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf	2024-08-05

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Zteusa Search vendor "Zteusa"	Zte Zmax Champ Firmware Search vendor "Zteusa" for product "Zte Zmax Champ Firmware"	6.0.1 Search vendor "Zteusa" for product "Zte Zmax Champ Firmware" and version "6.0.1"	-	Affected	in	Zteusa Search vendor "Zteusa"	Zte Zmax Champ Search vendor "Zteusa" for product "Zte Zmax Champ"	-	-	Safe