CVE-2018-16618

Name of the Vulnerable Software and Affected Versions VTech Storio Max version before 56.D3JM6

Description The issue allows remote command execution via shell metacharacters in an Android activity name. It exposes the storeintenttranslate.x service on port 1668, listening for requests on localhost. Requests submitted to this service are checked for a string of random characters followed by the name of an Android activity to start. By inserting metacharacters, this can be exploited to run arbitrary commands as root. The requests also match those of the HTTP protocol and can be triggered on any web page rendered on the device by requesting resources stored at an http://127.0.0.1:1668/ URI.

Recommendations For VTech Storio Max version before 56.D3JM6, update to version 56.D3JM6 or later to resolve the issue. As a temporary workaround, consider restricting access to the storeintenttranslate.x service on port 1668 to minimize the risk of exploitation. Avoid using the http://127.0.0.1:1668/ endpoint in web pages rendered on the device until the issue is resolved.