Vulnerability CVE-2018-14980

Published: 2019-04-25

The ASUS ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys contains the android framework (i.e., system_server) with a package name of android (versionCode=24, versionName=7.0) that has been modified by ASUS or another entity in the supply chain. The system_server process in the core android package has an exported broadcast receiver that allows any app co-located on the device to programmatically initiate the taking of a screenshot and have the resulting screenshot be written to external storage (i.e., sdcard). The taking of a screenshot is not transparent to the user; the device has a screen animation as the screenshot is taken and there is a notification indicating that a screenshot occurred. If the attacking app also requests the EXPAND_STATUS_BAR permission, it can wake the device up using certain techniques and expand the status bar to take a screenshot of the user's notifications even if the device has an active screen lock. The notifications may contain sensitive data such as text messages used in two-factor authentication. The system_server process that provides this capability cannot be disabled, as it is part of the Android framework. The notification can be removed by a local Denial of Service (DoS) attack to reboot the device.



(Improper Neutralization of Special Elements used in a Command ('Command Injection'))

Vendor: ASUS
Product: Zenfone 3 max firmware 

CVSS2 => (AV:L/AC:L/Au:N/C:P/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
Exploit range
Attack complexity
No required
Confidentiality impact
Integrity impact
Availability impact


Related CVE
An issue was discovered in ASUSWRT There is a stack-based buffer overflow issue in parse_req_queries function in wanduck.c via a long string over UDP, which may lead to an information leak.
AsusPTPFilter.sys on Asus Precision TouchPad hardware has a Pool Overflow associated with the \\.\AsusTP device, leading to a DoS or potentially privilege escalation via a crafted DeviceIoControl call.
A broken access control vulnerability in SmartHome app (Android versions up to 3.0.42_190515, ios versions up to 2.0.22) allows an attacker in the same local area network to list user accounts and control IoT devices that connect with its gateway (HG...
The web api server on Port 8080 of ASUS HG100 firmware up to 1.05.12, which is vulnerable to Slowloris HTTP Denial of Service: an attacker can cause a Denial of Service (DoS) by sending headers very slowly to keep HTTP or HTTPS connections and associ...
System command injection in appGet.cgi on ASUS RT-AC3200 version allows attackers to execute system commands via the "load_script" URL parameter.
Format string vulnerability in appGet.cgi on ASUS RT-AC3200 version allows attackers to read arbitrary sections of memory and CPU registers via the "hook" URL parameter.
Buffer overflow in appGet.cgi on ASUS RT-AC3200 version allows attackers to inject system commands via the "hook" URL parameter.
Missing cross-site request forgery protection in appGet.cgi on ASUS RT-AC3200 version allows attackers to cause state-changing actions with specially crafted URLs.

Copyright 2019,


Back to Top