UNISOC BootROM Buffer Overflow Vulnerability in FDL1 Recovery Mode

A buffer overflow vulnerability has been identified in the FDL1 component of the UNISOC BootROM recovery mode. This issue arises from a missing payload size check in the USB data transfer function, allowing a host to send excessively large payloads. The vulnerability can be exploited to execute arbitrary code within the FDL1 context, potentially leading to unauthorized access or manipulation of the device's boot process. The affected chipsets include UNISOC Tiger T618 and T700, with the vulnerability present in several devices, such as the Teclast T40 Plus, Teclast T40 5G, and Motorola Moto E40.

Impact

Exploitation of this vulnerability allows for a memory buffer overflow, with the potential for arbitrary code execution within the context of the FDL1 recovery mode bootloader.

Reproduction

The vulnerability can be reproduced by sending a large payload through the USB interface to the FDL1 component during the recovery mode. This can be done by initiating the recovery mode on a UNISOC device, such as the Motorola Moto E40, and then using a custom tool or script to transfer oversized data that exceeds the buffer's capacity. The FDL1 bootloader will execute the received data, leading to code execution.