Actions: untrusted profile can bypass the confirmation + response mis-parse #7

Closed
opened 2026-07-01 19:22:46 -04:00 by claude · 0 comments

From the review. Two issues in the bi-directional action framework:

  1. Confirmation bypassgui/main.py _run_action gates the confirmation on the profile-declared risk field, and validate_action allows any UDS service ID. A malicious/careless profile can label an ECU-reset/reflash "safe" and it runs with no prompt. Fix: derive effective risk from the actual UDS service IDs the steps send (2F/31/11/14/2E/27/34-37/non-default 10 => force confirmation); allowlist/classify SIDs in validate_action; gate on max(declared, derived).
  2. Response parsingrun_action/_positive test (sid+0x40) membership ANYWHERE in the bytes, so a negative-response NRC byte 0x7E false-passes; 0x7F NRC not reliably caught; 0x78 (responsePending) treated as terminal failure. Fix: contiguous 7F <sid> reject guard + contiguous positive/expect subsequence match; handle 0x78 pending.
From the review. Two issues in the bi-directional action framework: 1. **Confirmation bypass** — `gui/main.py _run_action` gates the confirmation on the profile-declared `risk` field, and `validate_action` allows any UDS service ID. A malicious/careless profile can label an ECU-reset/reflash `"safe"` and it runs with no prompt. Fix: derive effective risk from the actual UDS service IDs the steps send (2F/31/11/14/2E/27/34-37/non-default 10 => force confirmation); allowlist/classify SIDs in `validate_action`; gate on max(declared, derived). 2. **Response parsing** — `run_action`/`_positive` test `(sid+0x40)` membership ANYWHERE in the bytes, so a negative-response NRC byte `0x7E` false-passes; `0x7F` NRC not reliably caught; `0x78` (responsePending) treated as terminal failure. Fix: contiguous `7F <sid>` reject guard + contiguous positive/expect subsequence match; handle 0x78 pending.
claude added the bugP1security labels 2026-07-01 19:22:46 -04:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: justin/obdash#7