Date: 2020-10-13
Author: Kevin2600
CVE: CVE-2020-27524
Version: Audi A7 2014 MMI
Vendor: https://www.audi.com/en.html
Attack-Vector:
There is an improper format strings specifiers handling bug on Audi A7 2014 MMI Infotainment system. Simply rename the Mobile's Bluetooth name to "%x%x%x%x%x" or other specifiers. It will cause MMI memory leaks or even crash the service.
Reproduce-Steps:
1) Rename Phone's Bluetooth name to "%x%x%x%x%x"
2) Connect to the Audi's MMI IVI as normal through Bluetooth connection.
3) Start the Multimedia player and listen to music. In general, the Music source name will appear as normal.
But if we set the name as format string specifiers. The Music source name will be leaking memory content instead. And some specifiers will even crash the services.
Vendor response:
The Vendor Audi has been contacted on Oct 14th, but they replied this issue does not concern them. Indeed, the bug alone doesn't seem to anything useful yet, but since CVE-2017-9212 BMW 330i 2011 and CVE-2020-16142 Mercedes-Benz AMG they all have such issue. Maybe we can start testing those German vehicles. You never know ;)