NotCVE-2023-0003

NotCVE-2023-0003 - RSA signature verification bypass via Arbitrary Code Execution in Sansa Connect bootloader

Date	Vendor	Attack Vector	Impact
2023-12-06	SanDisk	Physical	Confidentiality, Integrity, Availability

CWE	CVSS 3.1	EPSS (30-day Exploit Prob.)
CWE-121: Stack-based Buffer Overflow	6.2	0.08 %

Description
Sansa Connect bootloader does not validate RSA signature multiprecision integer (MPI) length. Attacker can supply image that combined with specific MPI length leads to Arbitrary Code Execution via overwritten return address on stack.

Vendor	Product	Version	Package Name
SanDisk	Sansa Connect	Bootloader 24655	-

Discoverer(s)/Credits
Tomasz Moń

Common Attack Pattern Enumeration and Classification (CAPEC)
CAPEC-100: Overflow Buffers

References
https://github.com/desowin/zsitool/blob/master/exploit.md

Exploitability Metrics

Attack Vector	Attack Complexity	Privileges Required	User Interaction	Scope
Physical	Low	None	Required	Unchanged

Impact Metrics

Confidentiality Impact	Integrity Impact	Availability Impact
Low	High	High