CVE-2019-9831

Vulnerability

The Android application AirMore (through version 1.6.1 [1], maintainer: vendor) exposes an HTTP endpoint on the device that handles / with a query parameter Key=PhoneRequestAuthorization. An attacker can send many simultaneous POST requests to this endpoint, exhausting device resources and causing a system hang. No special configuration is required; the bug relies on the endpoint being accessible over the network.

Exploitation

The attacker must be on the same network as the target AirMore device (IP address and default port 2333) [1]. The exploit code opens 10000 threads, each sending a POST request with headers that mimic a browser session. The requests are sent concurrently and repeatedly, overwhelming the service [1].

Impact

Successful exploitation results in a denial of service (DoS) – the Android device becomes unresponsive and may freeze [1]. No authentication, user interaction, or write access is required; an unauthenticated remote attacker with network connectivity can cause the system hang.

Mitigation

No fixed version has been released. As of the publication date (2019-03-15), the vendor had not provided a patch. Users should avoid using AirMore on networks untrusted or block the relevant port (2333) at the firewall [1]. The product may be end-of-life; refer to the vendor homepage for current status.