Vendor: KaiOS Technologies Inc.
Vendor URL: https://www.kaiostech.com/
Versions affected: KaiOS 3.0
Systems Affected: KaiOS-based mobile devices
Author: Tom Barrasso
CVE Identifier: CVE-2023-33294
Risk: Critical
KaiOS is a mobile operating system based on Firefox OS. KaiOS 3.0 comes shipped with a binary, tctweb_server
, exposing a local web server that responds to HTTP requests on port 2929.
This server responds to GET and POST requests, accepting a application/x-www-form-urlencoded
formatted request body with key-value tuples separated by '&', with a '='.
tctweb_server
runs as root. It supports pre-defined commands for getting & setting system properties, reading & writing NV items, and reading files. It also allows for execution of user-provided bash commands.
Because the server is exposed on http://127.0.0.1:2929
, and it returns the header Access-Control-Allow-Origin: *
with every request, it is accessible to all installed apps and websites the system browser.
/system/bin/tctweb_server
Because tctweb_server
runs as root, accepts arbitrary bash commands, and is accessible via the system browser, it has a very high potential for abuse.
This risk is partially mitigated by SELinux enforcement. As a result, tctweb_server
cannot be used to read, write, or modify files or permissions within protected partitions.
The following are examples of what can be accomplished simply by visiting a malicious website on a KaiOS 3.0 device.
cmdshell=readfile
to get the list of installed applications (system/b2g/webapps/webapps.json
), or user profile data including notifications and downloads (folder: data/b2g/mozilla/*.default/
, files: downloads.json
, notifications.json
)sdcard/
persist.moz.killswitch
An attacker can make XMLHttpRequest
or fetch
requests to http://127.0.0.1:2929
with parameters to run commands as root.
In this simple example, the contents of the build.prop
file are displayed on screen.
let xhr = new XMLHttpRequest();
xhr.open('POST', 'http://127.0.0.1:2929', true);
xhr.send('cmd=bash&cmdshell=readfile&filename=system/build.prop');
Given the strong potential for abuse, the tctweb_server
binary should either be permission-restricted to only certified apps or removed altogether. Analysis of builds from the Nokia 2780 Flip suggests that tctweb_server
was removed in KaiOS 3.1.
This demo displays the contents of build.prop
on sceen.
KaiOS Version:
build.prop