CVE-2024-36842 PoC — Allwinner TS17 Android Infotainment System 安全漏洞

Source

https://github.com/abbiy/CVE-2024-36842-Backdooring-Oncord-Android-Sterio-

Associated Vulnerability

Title:Allwinner TS17 Android Infotainment System 安全漏洞 (CVE-2024-36842)
Description:Allwinner TS17 Android Infotainment System是中国全志（Allwinner）公司的一个车载娱乐信息系统。 Allwinner TS17 Android Infotainment System存在安全漏洞，该漏洞源于ADB端口组件未正确验证输入，可能导致远程执行任意代码。

Description

CVE-2024-36842, Creating Persistent Backdoor on Oncord+ android/ios car infotaiment using malicious script!

Readme

**# CVE-2024-36842 Backdooring-Oncord+ Android-Sterio**
We have conducted vulnerablity assessment on one of the most selling after marrket car infotainment unit.
Creating Persistent Backdoor on Oncord+ android/ios car infotaiment unit using malicious script!

About Device:
**Android version : 12

Kernel Version : 4.9.170

Model : TS17/Powered by Allwinner

Serial number : 0x03125dBa
**

![shared image(2)](https://github.com/abbiy/Backdooring-Oncord-Android-Sterio-/assets/19267773/edc00056-2786-49a7-8481-1c2512be0156)

![shared image(6)](https://github.com/abbiy/Backdooring-Oncord-Android-Sterio-/assets/19267773/bde5d881-242b-405e-9a7b-3dae32cafd6f)

![shared image(5)](https://github.com/abbiy/Backdooring-Oncord-Android-Sterio-/assets/19267773/79d3a5b3-c5aa-4e54-a8a6-88f64b34f560)

![shared image(3)](https://github.com/abbiy/Backdooring-Oncord-Android-Sterio-/assets/19267773/db69a10f-0e96-4103-8148-97a59de2550a)

![oncord](https://github.com/abbiy/Backdooring-Oncord-Android-Sterio-/assets/19267773/9534231e-3f09-4ce2-86ab-d8cdb72aa88a)

Android sterio unit by Oncord+ provides excellent performance and maintenance system based on cutting-edge technology. It is most available after market android unit fro cars in India and other countries. 

![images](https://github.com/abbiy/Backdooring-Oncord-Android-Sterio-/assets/19267773/2ae45535-3819-4602-8fc4-cec3a07fe206)

![IMG20240311112328](https://github.com/abbiy/Backdooring-Oncord-Android-Sterio-/assets/19267773/7ce996ac-7cb4-4b84-92e7-cae389960646)

**
_Vulnerability ID	Vulnerability	Severity	CVSS Score

NW-VUL-01	Gaining Root access of the Infotainment Unit by exploiting ADB port	HIGH -	8.4

HW-VUL-02	Gaining Root access through UART Port – Improper Access Control	MEDIUM - 6.4_
**

About Us: 

This research was conducted by **Sanyam Agarwal**  [![Linkedin](https://i.stack.imgur.com/gVE0j.png) LinkedIn](https://www.linkedin.com/in/sanyam-a-2b2b5510/)
&nbsp; & **Abhay Vishnoi** [![Linkedin](https://i.stack.imgur.com/gVE0j.png) LinkedIn](https://www.linkedin.com/in/abhay-vishnoi3)
&nbsp;from **FEV Secure Labs**

File Snapshot


 [4.0K]  /data/pocs/4028e58f1dea58297cda04a46b28256281cd42d8
├── [ 34K]  LICENSE
├── [2.0K]  README.md
└── [1.5M]  Vulenrbaility Assessment_PEN test report_oncord+Infotainment 1.pdf

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!