Mercedes-Benz NTG6 Head Unit USB Profile Import Vulnerability Leading to Denial-of-Service

A vulnerability exists in the Mercedes-Benz NTG6 head unit, specifically within the MBUX infotainment system, allowing for a denial-of-service condition. This issue arises when the head unit's 'UserData' service processes imported profile files from a USB device. The service decodes the files using a proprietary algorithm, but a flaw in the decoding process for certain binary files can cause a heap buffer overflow. This vulnerability was identified during research by Kaspersky and is triggered by the 'UserData' service when it imports profile data from USB storage, particularly files with the '.ud2' extension, which are processed by the head unit's voice recognition system.

Impact

Exploitation of this vulnerability causes the 'UserData' service to crash, freezing the system until the ECU is manually reset.

Reproduction

The vulnerability can be reproduced by exporting a user profile backup from the head unit to a USB drive, then importing the backup while the 'UserData' service is active. The imported files, especially those with the '.ud2' extension, will trigger the vulnerability by causing a heap buffer overflow, leading to a crash of the 'UserData' service.