Mercedes-Benz NTG6 Head Unit Ethernet Access Vulnerability Allowing Internal Network Spoofing

A vulnerability exists in the Mercedes-Benz NTG6 head unit, specifically in the MBUX infotainment system. The issue arises from Ethernet pins on the Base Board, which can be accessed to connect to the internal network of the head unit. This connection allows an attacker to spoof 'UserData' with a chosen file path and retrieve it via a backup on USB. The vulnerability exploits a race condition, enabling unauthorized access to internal network services through the Country Specific Board.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal network services of the head unit, allowing for data manipulation and potential disruption of normal functions.

Reproduction

The vulnerability can be reproduced by physically accessing the Ethernet pins on the NTG6 head unit's Base Board. Once connected to the internal network, the 'UserData' service can be spoofed with a desired file path. After the spoofed data is processed, it can be accessed through a backup exported to a USB drive.