System Property Modification Vulnerability in Vivo V7 by Vivo
CVE-2018-15002

4.7MEDIUM

Key Information:

Vendor
Vivo
Status
V7 Firmware
Vendor
CVE Published:
28 December 2018

Summary

The Vivo V7 device is susceptible to a vulnerability that permits any application co-located on the device to modify system properties, specifically through an exported service in the com.qualcomm.qti.modemtestmode app. This vulnerability allows apps to set key-value pairs for system properties that are retained even after a reboot. A notable misuse of this vulnerability is the ability to log user touchscreen inputs by enabling the persist.sys.input.log property, facilitating potential privacy breaches. Furthermore, the log data can be accessed through an existing vulnerability, requiring only the READ_EXTERNAL_STORAGE permission to expose sensitive user interactions.

References

https://www.kryptowire.com/portal/wp-content/uploads/2018...
x_refsource_MISC
https://www.kryptowire.com/portal/android-firmware-defcon...
x_refsource_MISC

CVSS V3.1

Score:
4.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2018-15002 : System Property Modification Vulnerability in Vivo V7 by Vivo | SecurityVulnerability.io