Volkswagen Group MIB3 Infotainment Bluetooth Stack Vulnerability Allowing Remote Code Execution

A vulnerability in the Bluetooth stack of the Volkswagen Group MIB3 infotainment system, specifically in units manufactured by Preh Car Connect GmbH, has been identified. This issue arises from a disabled abortion flag, which eventually leads to bypassing assertion functions. The vulnerability allows for remote code execution by chaining several vulnerabilities together. It was originally discovered in a Skoda Superb III car with the MIB3 infotainment unit OEM part number 3V0035820, and affects various Volkswagen models with different OEM part numbers.

Impact

Exploitation of this vulnerability, in conjunction with others, allows for persistent malicious payload infection on the MIB3 infotainment system via a one-time Bluetooth attack. Once infected, an attacker can remotely control infotainment functions over the Internet, accessing features such as vehicle controls, real-time tracking of speed and location, eavesdropping on conversations via the in-car microphone, and exfiltrating the phone contact database.

Reproduction

The vulnerability can be reproduced by pairing a device with the affected MIB3 infotainment system via Bluetooth. After establishing a connection, an attacker can send a malicious vCard containing a specially crafted JPEG image, which exploits the heap buffer overflow vulnerability (CVE-2023-28905) during the contact synchronization process. This initial code execution can then be leveraged to exploit the disabled abortion flag vulnerability (CVE-2023-28910), allowing the attacker to bypass assertion checks and execute arbitrary code on the infotainment system.