CVE-2018-16618

{"id": "CVE-2018-16618", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 10.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2019-06-19T18:15:10.853", "references": [{"url": "https://www.surecloud.com/sc-blog/vtech", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.vtech.com/en/our-businesses/product-support/", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "VTech Storio Max before 56.D3JM6 allows remote command execution via shell metacharacters in an Android activity name. It exposes the storeintenttranslate.x service on port 1668 listening for requests on localhost. Requests submitted to this service are checked for a string of random characters followed by the name of an Android activity to start. Activities are started by inserting their name into a string that is executed in a shell command. By inserting metacharacters this can be exploited to run arbitrary commands as root. The requests also match those of the HTTP protocol and can be triggered on any web page rendered on the device by requesting resources stored at an http://127.0.0.1:1668/ URI, as demonstrated by the http://127.0.0.1:1668/dacdb70556479813fab2d92896596eef?';{ping,example.org}' URL."}, {"lang": "es", "value": "VTech Storio Max antes de 56.D3JM6 permite la ejecuci\u00f3n remota de comandos a trav\u00e9s de metacaracteres de shell en un nombre de actividad de Android. Expone el servicio storeintenttranslate.x en el puerto 1668 que escucha las solicitudes en localhost. Las solicitudes enviadas a este servicio se verifican para una serie de caracteres aleatorios seguidos por el nombre de una actividad de Android para comenzar. Las actividades se inician insertando su nombre en una cadena que se ejecuta en un comando de shell. Al insertar metacaracteres, esto puede ser explotado para ejecutar comandos arbitrarios como root. Las solicitudes tambi\u00e9n coinciden con las del protocolo HTTP y pueden activarse en cualquier p\u00e1gina web representada en el dispositivo solicitando recursos almacenados en una URI http://127.0.0.1:1668/, como lo demuestra la http://127.0.0.1 : 1668 / dacdb70556479813fab2d92896596eef? '; {Ping, example.org}' URL"}], "lastModified": "2020-08-24T17:37:01.140", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:vtech:storio_max_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "28FC9573-A2E3-4543-9156-8B6242059FDA", "versionEndExcluding": "56.d3jm6"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:vtech:80-183803:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "043A6115-1C5F-43A8-B93D-19483A3199A7"}, {"criteria": "cpe:2.3:h:vtech:80-183804:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "03405DE1-B859-4261-BD75-E3387583E814"}, {"criteria": "cpe:2.3:h:vtech:80-183805:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "920C0E4F-D0CC-42CC-AC41-652080E8837C"}, {"criteria": "cpe:2.3:h:vtech:80-183807:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F6A0D5C0-34B9-4621-BBC9-49E40CF772BE"}, {"criteria": "cpe:2.3:h:vtech:80-183822:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "6795FA5E-0304-413C-ABD0-3629A81B695D"}, {"criteria": "cpe:2.3:h:vtech:80-183823:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "74036CF5-80E2-46E5-9082-AD6126A47CAD"}, {"criteria": "cpe:2.3:h:vtech:80-183824:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B96E2A61-E954-4572-B5A1-C4D68DDC9D71"}, {"criteria": "cpe:2.3:h:vtech:80-1838xx:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "099E1B36-3767-4982-B894-4A6055147235"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}