CVE-2023-33294
📋 TL;DR
CVE-2023-33294 is a critical remote code execution vulnerability in KaiOS 3.0 where an exposed local web server on port 2929 allows arbitrary bash command execution as root. Any website visited by the user can exploit this to steal data, delete files, or render the device inoperable. All KaiOS 3.0 users before version 3.1 are affected.
💻 Affected Systems
- KaiOS
📦 What is this software?
Kaios by Kaiostech
Kaios by Kaiostech
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise: attacker gains root access, can delete critical system files, modify system properties to brick the device, steal all user data including installed apps, notifications, and downloads.
Likely Case
Data theft and limited system modification: attackers would likely steal user data (installed apps, notifications, downloads) and potentially delete user files or modify non-critical system properties.
If Mitigated
Limited impact due to SELinux: SELinux prevents reads/writes/modifications to protected partitions, so core system files remain protected even if exploited.
🎯 Exploit Status
Exploitation requires only visiting a malicious website; no authentication or user interaction beyond browsing is needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: KaiOS 3.1
Vendor Advisory: https://kaios.dev/cve/1411380
Restart Required: Yes
Instructions:
1. Update KaiOS to version 3.1 or later via device settings. 2. Restart device after update completes.
🔧 Temporary Workarounds
Block port 2929 at firewall
linuxPrevent access to the vulnerable web server by blocking port 2929
iptables -A INPUT -p tcp --dport 2929 -j DROP
Disable tctweb_server service
allStop and disable the vulnerable service if possible
adb shell pm disable com.tct.web.server
adb shell stop tctweb_server
🧯 If You Can't Patch
- Avoid browsing untrusted websites on affected devices
- Use network-level filtering to block access to port 2929
🔍 How to Verify
Check if Vulnerable:
Check if tctweb_server is running on port 2929: 'netstat -tlnp | grep 2929' or 'ps aux | grep tctweb_server'Check Version:
adb shell getprop ro.build.version.releaseVerify Fix Applied:
Verify KaiOS version is 3.1 or later in device settings, and confirm tctweb_server is not running on port 2929📡 Detection & Monitoring
Log Indicators:
- Unusual process execution from tctweb_server
- Network connections to port 2929 from browser processes
Network Indicators:
- HTTP requests to port 2929 with bash commands in parameters
- Unusual outbound traffic following local port 2929 access
SIEM Query:
process_name='tctweb_server' AND (destination_port=2929 OR command_line CONTAINS 'bash')