System Property Modification Vulnerability in Vivo V7 by Vivo
CVE-2018-15002

4.7MEDIUM

Key Information:

Vendor: Vivo
Status: V7 Firmware
Vendor: CVE Published:; 28 December 2018

What is CVE-2018-15002?

The Vivo V7 device is susceptible to a vulnerability that permits any application co-located on the device to modify system properties, specifically through an exported service in the com.qualcomm.qti.modemtestmode app. This vulnerability allows apps to set key-value pairs for system properties that are retained even after a reboot. A notable misuse of this vulnerability is the ability to log user touchscreen inputs by enabling the persist.sys.input.log property, facilitating potential privacy breaches. Furthermore, the log data can be accessed through an existing vulnerability, requiring only the READ_EXTERNAL_STORAGE permission to expose sensitive user interactions.

References

https://www.kryptowire.com/portal/wp-content/uploads/2018...

x_refsource_MISC

https://www.kryptowire.com/portal/android-firmware-defcon...

x_refsource_MISC

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 28, 2018
Vulnerability Reserved
Aug 5, 2018