Mercedes-Benz NTG6 Head Unit Integer Overflow Vulnerability in Boost Library

A vulnerability has been identified in the Mercedes-Benz NTG6 head unit, specifically within the user profile import and export functions that utilize the Boost library for serialization. The Boost library version in use is susceptible to an integer overflow vulnerability, which can be exploited during the processing of serialized data.

Impact

Exploitation of this vulnerability leads to a heap buffer overflow, causing the 'UserData' service to crash and freeze the system, requiring a hard reset of the Electronic Control Unit (ECU) to restore functionality.

Reproduction

The vulnerability can be reproduced by exporting user profile data to a USB drive, which includes files that, when decoded, exploit the integer overflow vulnerability in the Boost library. This can be done by using the 'UserData' service to initiate a backup export, which creates a profile backup folder containing the necessary files. Once the files are exported, they can be manipulated to trigger the vulnerability during the import process.