Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-34761 PoC — 7-Eleven LED Message Cup 安全漏洞

Source
https://github.com/actuator/7-Eleven-Bluetooth-Smart-Cup-Jailbreak
Associated Vulnerability
Title:7-Eleven LED Message Cup 安全漏洞 (CVE-2023-34761)
Description:An unauthenticated attacker within BLE proximity can remotely connect to a 7-Eleven LED Message Cup, Hello Cup 1.3.1 for Android, and bypass the application's client-side chat censor filter.
Description
'Hacking' a 7-Eleven Bluetooth Smart Cup | CVE-2023-34761
Readme
** 7-Eleven Bluetooth Smart Cup Jailbreak ** 

**Warning: Viewer Discretion is Advised** 

#  ![thanks!](https://github.com/actuator/7-Eleven-Bluetooth-Smart-Cup-Jailbreak/assets/78701239/c2a3b84c-0c8b-496e-8dfa-7e29a67b0d5e)

In 2019 7-Eleven distributed a limited promotional item they generically named the 'Custom Message Cup’*.
* https://fccid.io/2AQNV-60961HC

Customers could personalize their cups with their own messages & slogans.

The cup consists of a plastic shell lined with an LED strip that communicates via BlueTooth Low Energy & allows users to send messages from their mobile device & is available for Android & iOs.

There is a word filter restriction on this promotional cup that displays filtered words using asterixis '*'.

![Capture](https://github.com/actuator/7-Eleven-Bluetooth-Smart-Cup-Jailbreak/assets/78701239/55b4e78e-755c-41b1-9e74-f2946e58b128)

Searching the source via JADX-GUI revealed the de-facto list of vulgar words & the regex word filter accomplished via  client-side filtering* so I proceeded to edit that wordlist. 

![pottymouth](https://user-images.githubusercontent.com/78701239/236337322-3666ac1d-a154-47a7-b8c2-e90a95548d2a.PNG)


APK Easy Tool was effective in providing a turn-key solution to decompile, sign & recompile the 'Hello Cup'(v1.3.1) Application.

The first step was to retrieve the Smali resource files that is essentially specialized assembly language code that is used to represent the Dalvik bytecode of Android applications & specific to the Android runtime environment.

![pogobad](https://user-images.githubusercontent.com/78701239/236341352-f93b04d0-090f-4bee-a6af-fb77140e3639.PNG)

Because I quit ‘Pokemon GO’ only the string 'pogo' will be restricted & everything else previously banned such as 'ugly' (really?) will no longer be filtered.

![Ugly](https://github.com/actuator/7-Eleven-Bluetooth-Smart-Cup-Jailbreak/assets/78701239/67d5442f-bda9-476f-b51b-7ab37b399b0e)

As a result the message 'Ugly Censorship' previously rendered as '**** Censorship' will now display 'Ugly Censorship'.

![Ugly2](https://github.com/actuator/7-Eleven-Bluetooth-Smart-Cup-Jailbreak/assets/78701239/b157a88f-52fb-4426-be7e-2bc01153cd1e)

Although modifying the application was trivial, it served as an interesting illustration bypassing client-side filtering.


** CWE-602: Client-Side Enforcement of Server-Side Security 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34761
File Snapshot

 [4.0K]  /data/pocs/e1fde4f5fcf729e6b4b7bcc8f9bc72283b9e0c5c
├── [1.9M]  Hello Cup_1.3.CRACKED.apk
└── [2.4K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →