Sign-up

ID

VAR-201904-0571


CVE

CVE-2018-15000


TITLE

Vivo V7 Android Vulnerabilities related to authorization, authority, and access control in devices

Trust: 0.8

sources: JVNDB: JVNDB-2018-015336

DESCRIPTION

The Vivo V7 Android device with a build fingerprint of vivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys contains a platform app with a package name of com.vivo.smartshot (versionCode=1, versionName=3.0.0). This app contains an exported service named com.vivo.smartshot.ui.service.ScreenRecordService that will record the screen for 60 minutes and write the mp4 file to a location of the user's choosing. Normally, a recording notification will be visible to the user, but we discovered an approach to make it mostly transparent to the user by quickly removing a notification and floating icon. The user can see a floating icon and notification appear and disappear quickly due to quickly stopping and restarting the service with different parameters that do not interfere with the ongoing screen recording. The screen recording lasts for 60 minutes and can be written directly to the attacking app's private directory. Vivo V7 Android Devices have vulnerabilities related to authorization, permissions, and access control.Information may be obtained and information may be altered. The Vivo V7 is an Android-based smartphone produced by China's Vivo Mobile Communications (Vivo). An attacker could exploit this vulnerability to obtain information or cause a system crash

Trust: 1.71

sources: NVD: CVE-2018-15000 // JVNDB: JVNDB-2018-015336 // VULHUB: VHN-125216

AFFECTED PRODUCTS

vendor:vivomodel:v7scope:eqversion: -

Trust: 1.0

vendor:vivomodel:v7scope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2018-015336 // NVD: CVE-2018-15000

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-15000
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-15000
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201904-1186
value: MEDIUM

Trust: 0.6

VULHUB: VHN-125216
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2018-15000
severity: LOW
baseScore: 3.3
vectorString: AV:L/AC:M/AU:N/C:P/I:P/A:N
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.4
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-125216
severity: LOW
baseScore: 3.3
vectorString: AV:L/AC:M/AU:N/C:P/I:P/A:N
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 3.4
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-15000
baseSeverity: MEDIUM
baseScore: 6.3
vectorString: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
attackVector: LOCAL
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 1.0
impactScore: 5.2
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-125216 // JVNDB: JVNDB-2018-015336 // CNNVD: CNNVD-201904-1186 // NVD: CVE-2018-15000

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:CWE-264

Trust: 0.9

sources: VULHUB: VHN-125216 // JVNDB: JVNDB-2018-015336 // NVD: CVE-2018-15000

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201904-1186

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201904-1186

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-015336

PATCH
title:V7url:https://www.vivo.com/in/products/v7
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2018-015336

EXTERNAL IDS
db:NVDid:CVE-2018-15000
Trust: 2.5
db:JVNDBid:JVNDB-2018-015336
Trust: 0.8
db:CNNVDid:CNNVD-201904-1186
Trust: 0.7
db:VULHUBid:VHN-125216
Trust: 0.1
sources:
            
            
            VULHUB: VHN-125216 // 
            
            
            
            JVNDB: JVNDB-2018-015336 // 
            
            
            
            CNNVD: CNNVD-201904-1186 // 
            
            
            
            NVD: CVE-2018-15000

REFERENCES
url:https://www.kryptowire.com/portal/android-firmware-defcon-2018/
Trust: 1.7
url:https://www.kryptowire.com/portal/wp-content/uploads/2018/12/defcon-26-johnson-and-stavrou-vulnerable-out-of-the-box-an-eval-of-android-carrier-devices-wp-updated.pdf
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2018-15000
Trust: 1.4
url:https://www.kryptowire.com
Trust: 1.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-15000
Trust: 0.8
sources:
            
            
            VULHUB: VHN-125216 // 
            
            
            
            JVNDB: JVNDB-2018-015336 // 
            
            
            
            CNNVD: CNNVD-201904-1186 // 
            
            
            
            NVD: CVE-2018-15000

SOURCES
db:VULHUBid:VHN-125216
db:JVNDBid:JVNDB-2018-015336
db:CNNVDid:CNNVD-201904-1186
db:NVDid:CVE-2018-15000

LAST UPDATE DATE
2024-11-23T22:37:53.344000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-125216date:2019-10-03T00:00:00
db:JVNDBid:JVNDB-2018-015336date:2019-05-28T00:00:00
db:CNNVDid:CNNVD-201904-1186date:2019-10-23T00:00:00
db:NVDid:CVE-2018-15000date:2024-11-21T03:50:18.793

SOURCES RELEASE DATE
db:VULHUBid:VHN-125216date:2019-04-25T00:00:00
db:JVNDBid:JVNDB-2018-015336date:2019-05-28T00:00:00
db:CNNVDid:CNNVD-201904-1186date:2019-04-25T00:00:00
db:NVDid:CVE-2018-15000date:2019-04-25T20:29:01.537