Privilege escalation in Hindotech HK1 Box S905X3 TV Box
| Risk | Low |
| Patch available | NO |
| Number of vulnerabilities | 1 |
| CVE-ID | N/A |
| CWE-ID | CWE-264 |
| Exploitation vector | Local |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software Subscribe |
HK1 Box S905X3 TV Box Hardware solutions / Other hardware appliances |
| Vendor | Hindotech, Shenzhen Hindo Technology Co.,Ltd |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU47633
Risk: Low
CVSSv3.1: 8.1 [CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions. A local attacker can execute the "/system/xbin/su" binary and execute arbitrary code as root, or steal social networking account tokens, WiFi passwords, cookies, saved passwords, user location data, message history, emails, or contacts, etc.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsHK1 Box S905X3 TV Box: HK1_X3_S905X3_4BIT_V11_2019-11-05
External linkshttp://sick.codes/sick-2020-004/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
