CVE-2023-33294: Execute Commands as Root from KaiOS 3.0 Browser via TCT Web Server

Vendor: KaiOS Technologies Inc.
Vendor URL:
Versions affected: KaiOS 3.0
Systems Affected: KaiOS-based mobile devices
Author: Tom Barrasso
CVE Identifier: CVE-2023-33294
Risk: Critical


KaiOS is a mobile operating system based on Firefox OS. KaiOS 3.0 comes shipped with a binary, tctweb_server, exposing a local web server that responds to HTTP requests on port 2929. This server responds to GET and POST requests, accepting a application/x-www-form-urlencoded formatted request body with key-value tuples separated by '&', with a '='.
tctweb_server runs as root. It supports pre-defined commands for getting & setting system properties, reading & writing NV items, and reading files. It also allows for execution of user-provided bash commands. Because the server is exposed on, and it returns the header Access-Control-Allow-Origin: * with every request, it is accessible to all installed apps and websites the system browser.



Because tctweb_server runs as root, accepts arbitrary bash commands, and is accessible via the system browser, it has a very high potential for abuse. This risk is partially mitigated by SELinux enforcement. As a result, tctweb_server cannot be used to read, write, or modify files or permissions within protected partitions.
The following are examples of what can be accomplished simply by visiting a malicious website on a KaiOS 3.0 device.

An attacker can make XMLHttpRequest or fetch requests to with parameters to run commands as root. In this simple example, the contents of the build.prop file are displayed on screen. let xhr = new XMLHttpRequest();'POST', '', true); xhr.send('cmd=bash&cmdshell=readfile&filename=system/build.prop');
Photo of build.prop file displayed on Alcatel Go Flip 4 (KaiOS 3.0) browser


Given the strong potential for abuse, the tctweb_server binary should either be permission-restricted to only certified apps or removed altogether. Analysis of builds from the Nokia 2780 Flip suggests that tctweb_server was removed in KaiOS 3.1.


This demo displays the contents of build.prop on sceen.

KaiOS Version:


Vendor Communication Timeline