Volkswagen MIB3 Infotainment Bluetooth Stack Integer Overflow Vulnerability Allowing Remote Code Execution

An integer overflow vulnerability has been identified in the Bluetooth stack of the Volkswagen MIB3 infotainment unit, specifically in the 'MIB3 OI MQB' model by Preh Car Connect GmbH. This vulnerability arises from inadequate validation of user-supplied data, leading to an integer overflow when fragmented HCI packets are received on a channel with enabled fragmentation. An attacker can exploit this to bypass the MTU check, causing a buffer overflow in upper layer profiles and potentially allowing remote code execution. The vulnerability was discovered in a Skoda Superb III car with the MIB3 unit OEM part number 3V0035820, and is believed to affect several other MIB3 units across various Volkswagen Group models.

Impact

Exploitation of this vulnerability can be chained with others to achieve persistent malicious payload infection on the MIB3 infotainment system via a one-time Bluetooth attack. This infection allows remote control of IVI functions over the Internet, including access to vehicle controls, real-time tracking of speed and location, eavesdropping on in-car conversations, and exfiltration of the phone contact database.

Reproduction

The vulnerability can be reproduced by pairing a device with the affected MIB3 infotainment unit via Bluetooth. Once paired, an attacker can send fragmented HCI ACL packets to overflow the 'pLink->rxLen' variable, bypassing the channel's MTU validation. This can be done using a Raspberry Pi with the nOBEX tool, emulating the Phone Book Access Profile and sending a malicious vCard with a crafted JPEG image to trigger the overflow.