Firmware Update Process Allows Execution of Unsigned Code on Diqee Diqee360 Devices
CVE-2018-10988 · HIGH Severity
AV:L/AC:L/AU:N/C:C/I:C/A:C
An issue was discovered on Diqee Diqee360 devices. A firmware update process, integrated into the firmware, starts at boot and tries to find the update folder on the microSD card. It executes code, without a digital signature, as root from the /mnt/sdcard/$PRO_NAME/upgrade.sh or /sdcard/upgrage_360/upgrade.sh pathname.
Learn more about our Web Application Penetration Testing UK.