CVE-2018-14979 in ZenFone 3 Max
Summary
by MITRE
The ASUS ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys contains a pre-installed app with a package name of com.asus.loguploader (versionCode=1570000275, versionName=7.0.0.55_170515). This app contains an exported service app component named com.asus.loguploader.LogUploaderService that, when accessed with a particular action string, will write a bugreport (kernel log, logcat log, and the state of system services including the text of active notifications), Wi-Fi Passwords, and other system data to external storage (sdcard). Any app with the READ_EXTERNAL_STORAGE permission on this device can read this data from the sdcard after it has been dumped there by the com.asus.loguploader. Third-party apps are not allowed to directly create a bugreport or access the user's stored wireless network credentials.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/24/2020
The vulnerability described in CVE-2018-14979 represents a critical security flaw in the ASUS ZenFone 3 Max Android device that stems from improper component exposure within a pre-installed application. This issue manifests through the com.asus.loguploader.LogUploaderService component which is exported without adequate permission controls, creating an unauthorized data exfiltration pathway. The vulnerability is particularly concerning as it allows for the collection of sensitive system information including kernel logs, logcat outputs, active service states, and most critically, stored Wi-Fi passwords. The affected device runs Android 7.0 with build fingerprint asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys, indicating this is a specific model variant with known security weaknesses. The pre-installed nature of this application means users cannot easily remove or modify its behavior, making this vulnerability particularly persistent and difficult to address through normal user intervention.
The technical implementation of this vulnerability leverages Android's component exposure mechanism where the LogUploaderService is configured to accept specific action strings that trigger data collection and storage operations. When invoked, this service performs comprehensive system data collection including bugreport generation that encompasses kernel logs, system logs, and active service states along with notification text content. The service then writes this sensitive information to external storage on the device's SD card, effectively creating a data dump that can be accessed by any application possessing READ_EXTERNAL_STORAGE permission. This design violates fundamental security principles by exposing sensitive system data collection capabilities to unauthorized access patterns. The vulnerability specifically affects the Android security model by allowing arbitrary apps to trigger system-level data collection without proper authentication or authorization mechanisms, creating a potential attack vector for malicious applications to gather comprehensive system intelligence.
The operational impact of this vulnerability extends beyond simple data collection to encompass significant privacy and security implications for device users. The exposure of stored Wi-Fi passwords represents a particularly severe risk as these credentials can be used to gain unauthorized access to wireless networks, potentially leading to network infiltration, data exfiltration, and lateral movement within connected environments. The collection of kernel logs and logcat outputs provides attackers with detailed system information that could be used to identify system vulnerabilities, understand device behavior, or develop targeted attacks against the specific Android version and device model. Additionally, the inclusion of active notification text content creates potential exposure of sensitive personal or business information that may not have been intended for public access. This vulnerability essentially creates a backdoor for data collection that operates outside normal user expectations and security controls, potentially enabling persistent surveillance or attack capabilities.
The security implications of this vulnerability align with CWE-284 (Improper Access Control) and can be mapped to ATT&CK technique T1083 (File and Directory Discovery) and T1071.004 (Application Layer Protocol: DNS) when considering the potential for network credential compromise. The vulnerability represents a failure in the principle of least privilege, where a system service should not be accessible to arbitrary applications without proper authorization. Device manufacturers should implement proper access control mechanisms to prevent unauthorized service invocation and ensure that sensitive system data collection capabilities are properly secured. The recommended mitigation strategies include immediate patching of affected devices, implementation of application permission controls, and removal of unnecessary exported components from system applications. Users should be advised to avoid installing untrusted applications that may exploit this vulnerability and to regularly update their device firmware to address known security issues. This vulnerability highlights the importance of proper security review processes for pre-installed applications and the need for manufacturers to maintain secure component exposure practices throughout their software development lifecycle.