A code signing bypass for the VW Polo

In Volkswagen Polo 2019 cars, the upgrade feature of the Discover Media infotainment system enables physically nearby attackers to execute arbitrary code since certain unsigned components of a metainfo file are parsed, which may enable attacker-controlled files to be written to the infotainment system and executed as root.

Monday, November 16, 2020, 7:19  GMT

Details:

From the methods described above, it should be clear that the update verification system operates on a hierarchically-established chain of trust:

–The hard-coded key is considered trustworthy by Volkswagen®.

–The trustworthy hard-coded key is used to extract from the metainfo file signature a trusted metainfo file checksum value (this is verified by the authenticity test of the metainfo file)

–To create the overall confidence of that metainfo file, the trustworthy metainfo file checksum value is used by comparing it with the measured checksum for that metainfo file (this is checked by the integrity check of the metainfo filQe)

–Through comparing their determined checksums to those found in the trusted metainfo file (these are checked by the constituent file integrity check), the trusted metainfo file is used to create trust for and of the files defined by it.

–They also found, however that the integrity search of the metainfo file uses only two byte ranges to determine the checksum of a metainfo file: -The first section covers the “[common]” section from the beginning of the file to the beginning of the line beginning with “MetafileChecksum.”

The second segment extends from the beginning of the next line to the beginning of the ‘[Signature]’ starting line.

This suggests that any information applied outside this context to the metainfo file will not change its checksum, nor will it affect its validation against its signature. However it would usually be parsed: in our parse metainfo file() description, we find that the metainfo file is entirely parsed from beginning to end.