Firmware Update Process Allows Execution of Unsigned Code on Diqee Diqee360 Devices

Firmware Update Process Allows Execution of Unsigned Code on Diqee Diqee360 Devices

CVE-2018-10988 · HIGH Severity

AV:L/AC:L/AU:N/C:C/I:C/A:C

An issue was discovered on Diqee Diqee360 devices. A firmware update process, integrated into the firmware, starts at boot and tries to find the update folder on the microSD card. It executes code, without a digital signature, as root from the /mnt/sdcard/$PRO_NAME/upgrade.sh or /sdcard/upgrage_360/upgrade.sh pathname.

Learn more about our Web Application Penetration Testing UK.