CVE-2018-15006 in ZMAX Champ
Summary
by MITRE
The ZTE ZMAX Champ Android device with a build fingerprint of ZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys contains a pre-installed platform app with a package name of com.android.zte.hiddenmenu (versionCode=23, versionName=6.0.1) that contains an exported broadcast receiver app component named com.android.zte.hiddenmenu.CommandReceiver that is accessible to any app co-located on the device. This app component, when it receives a broadcast intent with a certain action string, will write a non-standard (i.e., not defined in Android Open Source Project (AOSP) code) command to the /cache/recovery/command file to be executed in recovery mode. Once the device boots into recovery mode, it will crash, boot into recovery mode, and crash again. This crash loop will keep repeating, which makes the device unusable. There is no way to boot into an alternate mode once the crash loop starts.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/24/2020
The vulnerability identified as CVE-2018-15006 represents a critical security flaw in ZTE ZMAX Champ devices running Android 6.0.1, where a pre-installed platform application named com.android.zte.hiddenmenu contains an exported broadcast receiver component that exposes a dangerous functionality to any application on the device. This vulnerability falls under CWE-664, which describes improper control of a resource through multiple interfaces, as the CommandReceiver component provides unauthorized access to recovery mode manipulation through an exported interface. The affected device has a build fingerprint of ZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys, indicating a specific hardware and software configuration that is susceptible to this attack vector.
The technical implementation of this vulnerability involves the exported broadcast receiver component named CommandReceiver that listens for specific broadcast intents with predetermined action strings. When triggered, this component writes arbitrary commands to the /cache/recovery/command file, which is a non-standard location not defined in the Android Open Source Project codebase, thereby bypassing normal Android security mechanisms. This approach demonstrates a violation of the principle of least privilege and represents a dangerous privilege escalation vector, as the component can be accessed by any application co-located on the device without proper authentication or authorization checks. The attack leverages the Android system's recovery mode execution flow, where the device automatically boots into recovery mode upon detecting the command file, creating an infinite crash loop that renders the device completely unusable.
The operational impact of this vulnerability is severe and immediate, as it creates a persistent denial-of-service condition that prevents normal device operation. The infinite crash loop occurs because the device repeatedly boots into recovery mode, crashes, and then boots back into recovery mode, creating an endless cycle that cannot be interrupted through normal user or administrative actions. This behavior aligns with the ATT&CK framework's T1499.004 technique for "Evasion: Virtualization/Sandbox Detection" and T1566.001 for "Initial Access: Phishing", as malicious actors could potentially exploit this vulnerability to create persistent device lockouts. The vulnerability is particularly dangerous because there is no user-accessible method to escape the crash loop once it begins, effectively permanently disabling the device and requiring hardware-level intervention or factory reset procedures that may not be available to end users.
Mitigation strategies for this vulnerability should focus on immediate device remediation and long-term security improvements. The most effective immediate solution involves disabling or removing the vulnerable com.android.zte.hiddenmenu application through system-level administrative controls or firmware updates from ZTE. Security professionals should implement monitoring for suspicious broadcast intent patterns and file system modifications to /cache/recovery/command, as this represents a clear indicator of exploitation attempts. The vulnerability demonstrates the importance of proper Android component exposure controls and highlights the need for comprehensive security auditing of pre-installed applications, particularly those with elevated privileges or system-level access. Organizations should also consider implementing mobile device management policies that restrict the installation of potentially malicious applications that could exploit such exported broadcast receivers, while the underlying issue requires firmware updates from manufacturers to address the root cause of the vulnerable exported component.