lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 26 Nov 2019 23:30:45 +0800 (CST)
From: "Bug Reporter" <>
To: fulldisclosure <>, 
 bugtraq <>
Subject: [FD] Vulnerability in MiBox3


I would like to report a security vulnerability in Xiaomi Mi Box (model: MIBOX3, : MHC19). 

The vulnerability allows rescaling and corrupting the display without any privilege requirement, thus creating an opportunity for a non-privilege malicious app to disable the basic functionalities that the TV box is offering or can even be used for ransomeware purpose - e.g., each time a target streaming app is launched, the malicious app can corrupt the display. 

This vulnerability is due to the following:

Xiaomi introduces a (non-protected) custom API in the SystemControl system service “setPosition” which takes as arguments 4 integers. Once invoked with maliciously set parameters, the system display will be effected; e.g.,  (500, 500, 1000,1000) for rescaling the display and (1000,1000,1000,1000) for corrupting the display. Note that the display corruption will be persistent across reboots, making it very difficult to be fixed without a hard reset.

We can exploit this API as follows:

Class ServiceManager = Class.forName("android.os.ServiceManager");

Method getService = ServiceManager.getMethod("getService", String.class);

mRemote = (IBinder) getService.invoke(null,"system_control");

Parcel localParcel1 = Parcel.obtain();

Parcel localParcel2 = Parcel.obtain();






mRemote.transact(16, localParcel1, localParcel2, 0);  // 16 corresponds to the API setPosition



Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists