NVD Vulnerability Detail

CVE-2018-14998

Summary	The Leagoo P1 Android device with a build fingerprint of sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contains a hidden root privilege escalation capability to achieve command execution as the root user. They have made modifications that allow a user with physical access to the device to obtain a root shell via ADB by modifying read-only system properties at runtime. Specifically, modifying the ro.debuggable and the ro.secure system properties to a certain value and then restarting the ADB daemon allows for a root shell to be obtained via ADB.
Publication Date	Dec. 29, 2018, 6:29 a.m.
Registration Date	March 1, 2021, 6:58 p.m.
Last Update	Nov. 21, 2024, 12:50 p.m.

Affected software configurations

Related information, measures and tools

No	URL	タグ
1	https://www.kryptowire.com/portal/android-firmware-defcon-2018/	Third Party Advisory
2	https://www.kryptowire.com/portal/android-firmware-defcon-2018/	Third Party Advisory
3	https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf	Exploit Technical Description Third Party Advisory
4	https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf	Exploit Technical Description Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-78	OSコマンド・インジェクション	https://cwe.mitre.org/data/definitions/78.html

JVN Vulnerability Information

Leagoo P1 Android デバイスにおける認可・権限・アクセス制御に関する脆弱性

Title	Leagoo P1 Android デバイスにおける認可・権限・アクセス制御に関する脆弱性
Summary	Leagoo P1 Android デバイスには、認可・権限・アクセス制御に関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	Dec. 28, 2018, midnight
Registration Date	March 25, 2019, 4:42 p.m.
Last Update	March 25, 2019, 4:42 p.m.

Affected System

LEAGOO Global Co., Limited

P1 ファームウェア

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2018-14998	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14998
2	CVE-2018-14998	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14998
National Vulnerability Database (NVD)
3	CVE-2018-14998	https://nvd.nist.gov/vuln/detail/CVE-2018-14998
4	CVE-2018-14998	https://nvd.nist.gov/vuln/detail/CVE-2018-14998

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-264	https://jvndb.jvn.jp/ja/cwe/CWE-264.html
2	CWE-264	https://jvndb.jvn.jp/ja/cwe/CWE-264.html

ベンダー情報

No	Name	URL
LEAGOO
1	P1	https://www.leagoo.com/products/P1/spec.html
2	P1	https://www.leagoo.com/products/P1/spec.html

その他

No	Name	URL
関連文書
1	Vulnerable Out of the Box:An Evaluation of Android Carrier Devices	https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf
2	Vulnerable Out of the Box:An Evaluation of Android Carrier Devices	https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf

Change Log

No	Changed Details	Date of change
1	[2019年03月25日] 掲載	March 25, 2019, 4:42 p.m.