Volkswagen MIB3 Infotainment Bluetooth Stack Integer Overflow Vulnerability

An integer overflow vulnerability has been identified in the Bluetooth stack of the Volkswagen MIB3 infotainment system, specifically in the 'tsd.bt.phone.mib3' binary, which manages Bluetooth communications. This vulnerability arises from improper validation of user-supplied data when receiving non-fragmented Host Controller Interface (HCI) packets, allowing an attacker to overflow a variable that tracks the total received size of packets. The issue was discovered in a Skoda Superb III vehicle with the MIB3 infotainment unit OEM part number 3V0035820, and is believed to affect several other MIB3 units across various Volkswagen Group models.

Impact

Exploitation of this vulnerability leads to an integer overflow in the Bluetooth stack, allowing an attacker to bypass the channel's MTU validation. This can be chained with other vulnerabilities to achieve code execution on the infotainment system via Bluetooth, with the executed code running as a low-privileged user.

Reproduction

The vulnerability can be reproduced by pairing a device with the affected MIB3 infotainment system via Bluetooth. Once paired, the attacker can send non-fragmented HCI packets that overflow the 'pLink->rxLen' variable, which tracks the total received size of the packet data. This overflow can be used to bypass the channel's MTU validation, enabling further exploitation.