Volkswagen MIB3 Infotainment Secure Boot Bypass Vulnerability Allowing Arbitrary Code Execution

A logic flaw has been identified in the bootloader of the Volkswagen MIB3 infotainment system, specifically in units manufactured by Preh Car Connect GmbH. This vulnerability allows an attacker with physical access to the MIB3 ECU to bypass firmware signature verification and execute arbitrary code in the infotainment system during the boot process. The issue arises because the bootloader's signature verification occurs after decompression, using an unsigned PCCP header that is not validated, enabling the injection of malicious data into the firmware.

Impact

Exploitation of this vulnerability can lead to unauthorized code execution in the MIB3 infotainment system, with potential persistence by modifying boot images in SPI memory. This allows for actions such as disabling authentication for UART login, and could be chained with other vulnerabilities to gain root access and control over vehicle functions via the CAN bus.

Reproduction

The vulnerability can be reproduced by crafting an LZ4-compressed boot image that exploits the improper validation of the PCCP header. After decompression, the injected malicious data can overwrite verified images in RAM or be appended to valid signed images, such as the `initrd` filesystem, which is processed during the boot sequence.