Volkswagen MIB3 Infotainment Heap Buffer Overflow Vulnerability Allowing Arbitrary Code Execution

A heap buffer overflow vulnerability has been identified in the image processing component of the MIB3 infotainment system, specifically in certain Skoda and Volkswagen vehicles. This vulnerability allows an attacker to execute arbitrary code on the affected system. The issue arises when the infotainment unit processes contact photos from a paired smartphone via Bluetooth. The vulnerability was discovered in a Skoda Superb III model equipped with the MIB3 infotainment system, and it has been verified on other Volkswagen vehicles with the same infotainment model.

Impact

Exploitation of this vulnerability leads to arbitrary code execution on the MIB3 infotainment system, with the executed code running as the unprivileged 'phone' user. This allows for manipulation of the system's memory and execution of unauthorized commands, potentially including escalation of privileges to gain root access.

Reproduction

The vulnerability can be reproduced by pairing a device with the MIB3 infotainment system via Bluetooth. Once paired, the device can be used to send a malicious vCard containing a crafted JPEG image, which exploits the heap buffer overflow during the contact synchronization process. This can be done using a Raspberry Pi emulating the Phone Book Access Profile (PBAP) and Hands-Free Profile (HFP).