CVE-2019-9019 British Airways Entertainment System Chat App. Crash

Authors:Hector Marco
CVE:CVE-2019-9019
Comment:Chat Application Crash on Boeing 777-36N(ER) - British Airways
Dates: March 2019 - Published in the web.

Affected British Airways Aircraft - Boeing 777-36N(ER)


Contents

  1. Clarification.
  2. Description.
  3. Impact.
  4. The Vulnerability.
  5. The Exploit (PoC) - Video.
  6. Discussion.
  7. Fake news exaggerating this.





1. Clarification

Did you make any attack?

No, no attack was made.

Were you looking for vulnerabilities?

No. I was not probing for vulnerabilities, this is a major task that must be done in a controlled environment and under prior agreement (I do not work for free).

I was curios about the USB port socket and its purpose and I found a weakness accidentally.

Why did you describe the issue as a possible buffer overflow?

In order to get a CVE number, a vulnerability type must be provided. The most likely in this case is a buffer overflow but a memory exhaustion or similar can not be discarded. Assigning "unknown" to the vulnerability type will require a change of the type in the future for sure. Using the most likely one can give a better context and likely avoid future changes about the kind of issue.

Did you contact the affected parties?

Yes. I immediately contacted the affected stakeholders. I have provided more details and I am supporting them.

Why did you release this even knowing that people will criticize this?

When something reaches enough mass of people, you will always find people for and against. I can understand both parts because the information they are handling is not complete and part of it describes an hypothetical scenario. Those thoughts aloud were intended to avoid this issue to go unnoticed, that's all, because I really think this should be addressed and we are supporting stakeholders on this. Unfortunately there are fake news exaggerating this for their own benefit.

I do not think I am the first person in the world knowing this issue but I know that now this have much more chances to be fixed, which was the intention of releasing this.

In any case it is a shame that some security issues can not be seriously discussed in public.

2. Description

The British Airways Entertainment System installed on Boeing 777-36N(ER) and possibly other aircraft, allows the USB charging/data-transfer feature from interacting with USB keyboard and mouse devices, which allows physically proximate attackers to conduct unanticipated attacks against Entertainment applications.

The vulnerable application is the interactive chat application that allows to send messages to other passengers. An attacker can plug a USB mouse and trigger a buffer overflow or other kind of memory errors producing a Denial of Service and possibly other unspecified impact.

3. Impact

An attacker which successfully exploits this weakness will crash the chat client application. The chat will not longer work producing a Denial Of Service. Based on this, other impacts can not be claimed. Some times this kind of software bugs can be further exploited and some times not.

4. The Vulnerability

The weakness is in the chat application but since it was not exploited or analyzed we have not details. Our guess is that it is an overflow or a less likely a memory exhaustion.

The USB port allows to charge devices but also to interact with them. For example, the entertainment system has an application that allows you to see on the screen pictures when the phone is connect through the USB to the system.

The following picture was taken during the real flight and it shows where the USB sockets were located in the Boeing 777-36N(ER) operated by British Airways.

USB sockets: Boeing 777-36N(ER) operated by British Airways.

5. The Exploit (PoC) - Video

To exploit the weakness attackers need physical access to the USB port. In our test a mouse was plugged to the USB socket and it was immediately detected as valid device. At this point, I thought that this was intentionally since no action from the user was needed.

I noticed that the mouse was not displayed in all applications. After opening the chat application the mouse pointer appeared. I wanted to send a long message to another chat seat and I decided to use the mouse for that. After copying and pasting many times the chat application surprisingly disappeared in front of me. This accidental discovery has been now identified as a vulnerability with the CVE-2019-9019.

The following video shows a proof of concept of the accidental vulnerability found.


British Airways Entertainment System Chat App. Crash PoC

The above video shows how I was trying to send a long message to another chat seat using the copy and paste options and how the chat application was unexpectedly closed.

This accidental discovery has been now identified as a vulnerability with the CVE-2019-9019.

6. Discussion

What we have seen in the PoC, is a denial of service on an application running on a singe seat caused by the user of the application. No impact on other users.

Assuming that the fault is a buffer overflow, the exploitation of this type of errors to execute code is nowadays very complex, when possible. In this case, the application stops working when a single error is detected, which prevents to do further analysis. Current systems contains several mitigation techniques like ASLR (Address Space Layout Randomization) which forces the attacker to know the memory layout, therefore the attacker will have only one single try (no brute force). Also, the SSP (Stack Smashing Protector) is a very effective protection when the overflown buffer is located in the stack. And the old, but fast and effective, NX or DEP technique, which blocks the possibility to execute injected code.

Beside these classic protections, there are other restrictions that should be bypassed. As the limitation on the values that can be introduced in the buffer; since it is a human readable string, it may be limited to be ASCII characters. So, the presence of zeros (bytes set to zero) in any of the addresses that need to be controlled would also prevent the exploitation.

The last but not least issue to consider, is that the attacker shall know the kind of system (Windows, Linux, versions, etc.) and the processor type (x86, ARM, etc.).

Any of these "barriers" could make the code execution unlikely and all of them almost impossible or impractical.

Nevertheless, the error shall be fixed. Fortunately, the solution to this type of errors use to be simple.

7. Fake news exaggerating this

Unfortunately there are fake news exaggerating this for their own benefit.

It is important to differentiate between the vulnerability and how far you can get, and the Proof of Concept (PoC) we have showed in this brief report.The PoC presented in this report it can only be used to perform a Denial of Service against the Chat application. There are sensational news claiming privilege escalation or code execution but this is simply false.

Q: I have read in the news that this is a privilege escalation, is it true?
R: No. What we have showed is not a privilege escalation but a Denial of Service in the Chat application.

Q: Can attackers replicate the video attack to to get a shell or execute code?
R: No. The video shows a proof of concept that manifests a bug exploitation which is far from what it would be needed in an attack to get a shell or execute code.

Q: Are the entertainment systems crucial components in aviation?
R: No. As far as we know, the entertainment system is securely isolated from the rest of the system.

Q: Is this a minor or major vulnerability?
R: We think it is minor. Any answer with current knowledge is pure speculation.


Hector Marco - http://hmarco.org