CVE-2018-14998: OS Command Injection
The Leagoo P1 Android device with a build fingerprint of sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contains a hidden root privilege escalation capability to achieve command execution as the root user. They have made modifications that allow a user with physical access to the device to obtain a root shell via ADB by modifying read-only system properties at runtime. Specifically, modifying the ro.debuggable and the ro.secure system properties to a certain value and then restarting the ADB daemon allows for a root shell to be obtained via ADB.
Affected Software
Event History
Frequently Asked Questions
What is CVE-2018-14998?
CVE-2018-14998 refers to a vulnerability in the Leagoo P1 Android device that allows a user with physical access to achieve command execution as the root user.
What is the severity of CVE-2018-14998?
CVE-2018-14998 has a severity rating of 6.8 (High).
What is the affected software of CVE-2018-14998?
The Leagoo P1 Firmware is affected by CVE-2018-14998.
How can I fix CVE-2018-14998?
To fix CVE-2018-14998, it is recommended to update the Leagoo P1 Android device firmware to a version that resolves the vulnerability.
Where can I find more information about CVE-2018-14998?
More information about CVE-2018-14998 can be found at the following references: [link1](https://www.kryptowire.com/portal/android-firmware-defcon-2018/), [link2](https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf).