CVE CyberSecurity Database News

CVE-2023-34402 - Exploiting Arbitrary File Write in Mercedes-Benz NTG6 Head-Unit via Profile Import Function

Poster -

Summary:
A critical vulnerability, CVE-2023-34402, affects the Mercedes-Benz NTG6 head-unit infotainment system. By abusing the profile settings import/export functionality over USB, attackers can achieve Arbitrary File Write with speech service privileges. This post explains the vulnerability step by step, provides easy-to-understand exploit details, relevant code snippets, and original reference links.

What is NTG6 and Why Does it Matter?

NTG6 is the multimedia head-unit used in recent Mercedes-Benz vehicles. It handles audio, navigation, voice commands ("Hey Mercedes"), user profiles, and system updates. These units are essentially Linux-based computers. Many convenience features like profile transfer—as when you rent or buy a used car—require saving settings to USB, which can later be imported or exported.

The Vulnerability: Where Things Go Wrong

### The Import/Export Feature

Owners can export their profile settings (think seats, radio stations, climate controls) to a USB stick. The unit saves your data into a file on the drive, which can be restored into the same or even a different NTG6 unit.

The Bug: Insufficient Path Checks

When processing an imported profile container, the service fails to properly check file paths after extracting the encapsulated file. In particular, an attacker can craft a malicious container such that the embedded file “breaks out” of the intended directory via path traversal (../). This oversight allows writing a file to arbitrary locations, with the privileges of the speech service (which often has access to sensitive parts of the filesystem).

Inside it, place a malicious payload (e.g., a shell script or config file).

3. Name the payload with path traversal, like ../exploit.sh.
4. Copy this file to a USB stick and hand it to a target (e.g., during a test drive, valet, or malicious rental staff).
5. The victim imports the file; the NTG6 drops exploit.sh into the system root or another protected location.
6. The attacker gains either persistent code execution (on next boot/run), or the ability to overwrite important configuration files.

Suppose NTG6 expects an exported file like

profile_export.bin
├── user_settings.dat

You can instead create

profile_export.bin
├── ../exploit.sh

A code example of constructing such a ZIP-based container on your desktop

# Python 3: Create malicious USB profile file for NTG6
import zipfile

with zipfile.ZipFile('profile_export.bin', 'w') as z:
    # This will traverse up one directory upon extraction
    z.writestr('../exploit.sh', "#!/bin/sh\necho HACKED > /tmp/hacked\n")

When the owner imports the “profile,” the service does something like this (pseudocode)

def import_profile(file):
    with open(file) as archive:
        # NOTE: No path check!
        archive.extractall('/var/user_profiles/tmp')

If you managed to include ../exploit.sh, this will write /var/user_profiles/exploit.sh—or potentially, thanks to weak path parsing, elsewhere.

If the speech service executes scripts, config files, or simply lets you overwrite important files, this leads to privilege escalation or denial of service.

Impact & Real-World Scenarios

- Privilege escalation: If you can plant a script in an autostarted location or overwrite system files, you may gain persistent root.
- System Takeover: Speech services sometimes talk to more privileged system components, giving attackers indirect control.

References

- Original Advisory on CVE-2023-34402 at NVD
- Mercedes-Benz Bulletin (example)
- Path Traversal and File Overwrite Attacks in ZIP/Archive Extraction
- Python Zipfile Docs

Always sanitize extracted paths!

- Use secure libraries which block paths containing ../ or absolute paths when unpacking user files.

Sample Patch (Python)

import os

def safe_extract(zipf, path):
    for member in zipf.namelist():
        # Avoid paths with ../ or starting with /
        if '..' in member or member.startswith('/'):
            continue  # Skip or raise error
        zipf.extract(member, path)

Concluding Thoughts

CVE-2023-34402 is a textbook case of path traversal via insufficient validation during file extraction. In a “smart” car, these bugs can have very real consequences—highlighting the need for traditional cybersecurity design even in modern vehicles.

Stay safe and up-to-date—with your devices and your wheels!

*This research is original and intended for awareness and defensive education only. Please use responsibly.*

Timeline

Published on: 02/13/2025 23:15:09 UTC
Last modified on: 03/14/2025 18:15:26 UTC