ShowMojo MojoBox Digital Lockbox 1.4 is vulnerable to Authentication Bypass. The implementation of the lock opening mechanism via Bluetooth Low Energy (BLE) is vulnerable to replay attacks. A malicious user is able to intercept BLE requests and replicate them to open the lock at any time. Alternatively, an attacker with physical access to the device on which the Android app is installed, can obtain the latest BLE messages via the app logs and use them for opening the lock.
References
Link | Resource |
---|---|
https://mandomat.github.io/2023-03-15-testing-mojobox-security/ | Exploit Technical Description Third Party Advisory |
https://packetstormsecurity.com/2307-exploits/mojobox14-replay.txt | Third Party Advisory VDB Entry |
https://www.whid.ninja/blog/mojobox-yet-another-not-so-smartlock | Exploit Technical Description Third Party Advisory |
Configurations
Configuration 1 (hide)
AND |
|
History
28 Jul 2023, 19:00
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://mandomat.github.io/2023-03-15-testing-mojobox-security/ - Exploit, Technical Description, Third Party Advisory | |
References | (MISC) https://www.whid.ninja/blog/mojobox-yet-another-not-so-smartlock - Exploit, Technical Description, Third Party Advisory | |
References | (MISC) https://packetstormsecurity.com/2307-exploits/mojobox14-replay.txt - Third Party Advisory, VDB Entry | |
CPE | cpe:2.3:h:showmojo:mojobox:-:*:*:*:*:*:*:* cpe:2.3:o:showmojo:mojobox_firmware:1.4:*:*:*:*:*:*:* |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.1 |
First Time |
Showmojo mojobox
Showmojo mojobox Firmware Showmojo |
|
CWE | CWE-294 |
20 Jul 2023, 20:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-07-20 20:15
Updated : 2024-02-28 20:33
NVD link : CVE-2023-34625
Mitre link : CVE-2023-34625
CVE.ORG link : CVE-2023-34625
JSON object : View
Products Affected
showmojo
- mojobox_firmware
- mojobox
CWE
CWE-294
Authentication Bypass by Capture-replay