Details of VAR-202004-2329

ID

VAR-202004-2329

TITLE

(Pwn2Own) Amazon Echo Show Integer Overflow Remote Code Execution Vulnerability

Trust: 0.7

sources: ZDI: ZDI-20-537

DESCRIPTION

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Amazon Echo Show. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the handling of arrays. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.

Trust: 0.7

sources: ZDI: ZDI-20-537

AFFECTED PRODUCTS

vendor:

amazon

model:

echo show

scope:

version:

Trust: 0.7

sources: ZDI: ZDI-20-537

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	ZDI-20-537
value:	HIGH
Trust: 0.7

ZDI:	ZDI-20-537
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-20-537

EXTERNAL IDS

db:	ZDI_CAN	id:	ZDI-CAN-9644	Trust: 0.7
db:	ZDI	id:	ZDI-20-537	Trust: 0.7

sources: ZDI: ZDI-20-537

CREDITS

fluoroacetate

Trust: 0.7

sources: ZDI: ZDI-20-537

SOURCES

db:

ZDI

id:

ZDI-20-537

LAST UPDATE DATE

2022-05-17T02:05:47.026000+00:00

SOURCES UPDATE DATE

db:

ZDI

id:

ZDI-20-537

date:

2020-04-16T00:00:00

SOURCES RELEASE DATE

db:

ZDI

id:

ZDI-20-537

date:

2020-04-16T00:00:00