Mercedes-Benz NTG 6 Head Unit User Data Service Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Mercedes-Benz NTG 6 head unit, part of the MBUX infotainment system. The issue arises from a type confusion in the user data import/export function, which can be exploited by an attacker with local access to the car's USB interface. By using prepared data, the attacker can cause the User-Data service to fail, leading to an automatic restart of the service.

Impact

Exploitation of this vulnerability causes the User-Data service to crash, but the service automatically restarts. However, this disruption can temporarily freeze the system, requiring a hard reset of the ECU to restore normal functionality.

Reproduction

The vulnerability can be reproduced by emulating the 'DeviceManager' and 'GDVariantCodingService' services, which are responsible for handling USB events and variant coding, respectively. Once these services are emulated, the 'UserData' service can be manipulated to import user profile files from a USB storage device. During this process, the 'UserData' service decodes the profiles, leading to a heap buffer overflow that crashes the service. This can be automated with a script that triggers the import process while the 'UserData' service is being traced, allowing for precise timing of the exploitation.