Volkswagen Group MIB3 Infotainment Command Injection Vulnerability Allowing Privilege Escalation

A command injection vulnerability has been identified in the networking service of the Volkswagen Group MIB3 infotainment system, specifically in units manufactured by Preh Car Connect GmbH. This vulnerability allows an attacker with existing access to the system to escalate privileges and gain administrative rights. The issue was discovered in a Skoda Superb III vehicle equipped with the MIB3 infotainment unit, OEM part number 3V0035820, and software version 0304. The vulnerability is present in several other MIB3 OEM part numbers, affecting a wide range of Volkswagen Group vehicles. Exploitation of this vulnerability could lead to unauthorized access and control over the vehicle's systems.

Impact

Successful exploitation of this vulnerability allows for privilege escalation to the 'networking' service, which has the capability to load custom kernel modules, potentially leading to unrestricted root access on the device.

Reproduction

The vulnerability can be reproduced by initializing the custom Inter-Process Communication (IPC) mechanism used for remote procedure calls between services on the MIB3 infotainment system. Once this mechanism is active, the vulnerable remote procedure in the 'networking' service can be called, injecting commands that are executed with elevated privileges.