A research discovered two zero-day vulnerabilities residing in the official BMW web domain and ConnectedDrive portal that allow remote hack.
According to the security researcher, Benjamin Kunz Mejri from Vulnerability Labs,there are two main bugs both connected to the BMW online service web app for ConnectedDrive.
ConnectedDrive is the name of BMW’s in-car infotainment system.The system can be used as it is, in the car, or via a series of connected mobile apps that allow the driver to manage vehicle settings through their mobile devices. This service also has a equivalent for the Web,in addition to the mobile apps.
Two zero-day vulnerabilities residing in the official BMW web domain and ConnectedDrive portal that remain unpatched and allow remote hack.
Let’s understand vulnerabilities :
The first vulnerability found in the BMW ConnectedDrive online service web-application is a VIN (Vehicle Identification Number) session vulnerability. The VIN is the identification code assigned to each vehicle while accessing the service. The bug is found within the session management of VIN usage, and remote attackers can bypass the secure validation procedures of the VIN remotely using a live session. In this way, they can manipulate registered and valid VIN numbers and configuration settings through the ConnectedDrive portal.
“The vulnerability is located in the session management of the VIN adding procedure. Remote attackers are able to bypass the secure validation approval of the VIN when processing to create it. Basically the validation does not allow to add a non existing number to the interface configuration to prevent different type of errors or issues. In case of the adding procedure the request approve via action – add the context.” states the security advisory from the vulnerability-lab.
“Remote attackers are able to change with a live session tamper the action information to create or update. Thus allows an attacker to bypass the invalid VIN exception to add a new configuration finally. Thus interaction results in the takeover of other vehicle identification numbers to view or manipulate the configuration.”
PoC to follow step by step:
- Open the web-application of bmw connecteddrive (https://www.bmw-connecteddrive.co.uk/cdp/) and login
- Surf to the My Settings module of the service
- Start the session tamper and include a new random VIN
- Save the requesst and manipulate in the session tamper the add value to create
- Continue to process the GET request after it
- Now, the module opens and the restriction with the vehicle Identification Number approval is bypassed
- Now you can add your own VIN to the interface to create another car with the same VIN
- Successful reproduce of the web-application vulnerability that affects the bmw car connecteddrive!
The second vulnerability discovered by the researchers is a client-side cross-site scripting (XSS) vulnerability that resides in the official BMW online service web-application. The flaw could allow a remote attacker to inject malicious script codes to the client-side of the affected module context, potentially leading to session hijacking, phishing campaigns, or diverting users to malicious domains.
“A client-side cross site scripting web vulnerability has been discovered in the official BMW online service web-application. The vulnerability allows remote attacker to inject own malicious script codes to the client-side of the affected module context,” states the official advisory.
“The vulnerability is located in the `t` value (token) of the `passwordResetOk.html` web-application file. Remote attackers are able to inject own client-side script codes to the `passwordResetOk.html` file. The request method to inject is GET and the vulnerability is located on the client-side of the affected BMW web-service. The attacker injects the payload after the secure token to execute the context in the passwordResetOk.html file. The vulnerability is a classic client-side cross site scripting web vulnerability.”
The security flaws have been reported to BMW in February, unfortunately. BMW responded to the reports in April. Since, BMW failed to answer Mejri’s bug reports in time and there is no evidence that these issues have been patched, the researcher went public with his findings on July 7
image source : [hackbusters]