Mercedes-Benz NTG6 Head Unit Arbitrary File Write Vulnerability

A vulnerability allowing arbitrary file write has been identified in the Mercedes-Benz NTG6 head unit. This issue arises from functions that import or export profile settings via USB. The profile backup, when exported, is processed by a service that inadvertently drops a specified file. Due to insufficient validation, an attacker can manipulate the file path to write arbitrary content, leveraging the service's permissions.

Impact

Exploitation of this vulnerability allows for arbitrary file writing on the head unit, with the potential to execute the written file under the service's permissions.

Reproduction

The vulnerability can be reproduced by exporting a user profile backup to a USB drive. The 'vt_ab.ud2' file, when decoded, is processed by the head unit's text-to-speech service. This file can be manipulated to include a payload that, when the backup is imported, triggers the arbitrary file write by directing the service to drop a file at a specified path.