Mercedes-Benz NTG 6 Head Unit Integer Overflow Vulnerability in User Data Import/Export Function

An integer overflow vulnerability has been identified in the user data import/export function of Mercedes-Benz NTG 6 head units. This vulnerability requires local access to the vehicle's USB interface. An attacker can exploit this issue by sending prepared data, causing the User-Data service to fail. Although the service instance will automatically restart, the failure can disrupt normal functionality.

Impact

Exploitation of this vulnerability leads to a failure of the User-Data service, causing a disruption that requires a manual reset of the head unit's electronic control unit (ECU) to restore normal operation.

Reproduction

The vulnerability can be reproduced by connecting to a Mercedes-Benz NTG 6 head unit via the USB interface. Once connected, the 'UserData' service can be traced to monitor its activity. Afterward, the 'UserDataExchangeService' can be used to import user profile files from a USB storage device. During this process, the 'vt_ab.ud2' file, which is processed by the head unit's text-to-speech service, can be manipulated to trigger the vulnerability. The 'UserData' service will crash, causing the head unit to freeze and require a hard reset.