CVE-2023-33294: Execute Commands as Root from KaiOS 3.0 Browser via TCT Web Server

Vendor: KaiOS Technologies Inc.
Vendor URL: https://www.kaiostech.com/
Versions affected: KaiOS 3.0
Systems Affected: KaiOS-based mobile devices
Author: Tom Barrasso
CVE Identifier: CVE-2023-33294
Risk: Critical

Summary

KaiOS is a mobile operating system based on Firefox OS. KaiOS 3.0 comes shipped with a binary, tctweb_server, exposing a local web server that responds to HTTP requests on port 2929. This server responds to GET and POST requests, accepting a application/x-www-form-urlencoded formatted request body with key-value tuples separated by '&', with a '='.
tctweb_server runs as root. It supports pre-defined commands for getting & setting system properties, reading & writing NV items, and reading files. It also allows for execution of user-provided bash commands. Because the server is exposed on http://127.0.0.1:2929, and it returns the header Access-Control-Allow-Origin: * with every request, it is accessible to all installed apps and websites the system browser.

Location

Impact

Because tctweb_server runs as root, accepts arbitrary bash commands, and is accessible via the system browser, it has a very high potential for abuse. This risk is partially mitigated by SELinux enforcement. As a result, tctweb_server cannot be used to read, write, or modify files or permissions within protected partitions.
The following are examples of what can be accomplished simply by visiting a malicious website on a KaiOS 3.0 device.

An attacker can make XMLHttpRequest or fetch requests to http://127.0.0.1:2929 with parameters to run commands as root. In this simple example, the contents of the build.prop file are displayed on screen. let xhr = new XMLHttpRequest(); xhr.open('POST', 'http://127.0.0.1:2929', true); xhr.send('cmd=bash&cmdshell=readfile&filename=system/build.prop');
Photo of build.prop file displayed on Alcatel Go Flip 4 (KaiOS 3.0) browser

Recommendation

Given the strong potential for abuse, the tctweb_server binary should either be permission-restricted to only certified apps or removed altogether. Analysis of builds from the Nokia 2780 Flip suggests that tctweb_server was removed in KaiOS 3.1.

Demo

This demo displays the contents of build.prop on sceen.

KaiOS Version:

build.prop

Vendor Communication Timeline