Four format string injection vulnerabilities have been discovered in the web interface /action/wirelessConnect functionality of Abode Systems, Inc. iota All-In-One Security Kit 6.9Z and 6.9X. These vulnerabilities can lead to memory corruption, information disclosure, and denial of service on affected systems. In order to exploit these vulnerabilities, an attacker can simply send an authenticated HTTP request to target devices.

Vulnerabilities

The vulnerabilities arise from format string injection via the ssid_hex HTTP parameter, as used within the /action/wirelessConnect handler. The specific issues identified include:

1. Memory corruption: A specially-crafted HTTP request containing format string specifiers (e.g., %x, %s, %n) in the ssid_hex parameter can cause memory corruption, potentially crashing the device or executing arbitrary code.

2. Information disclosure: Format string specifiers (e.g., %x, %s, %n) can be used to read memory content, potentially leaking sensitive data such as encryption keys, passwords, or other credentials.

3. Denial of service: By repeatedly sending HTTP requests with crafted ssid_hex parameters, an attacker can cause a high CPU usage and/or memory consumption, leading to a denial of service and making the device unresponsive or unstable.

4. Remote code execution: Possible, though difficult to achieve due to limited memory space and the need for precise control over memory layout.

Gain access to the IoT network containing the vulnerable Abode Systems iota Security Kit.

2. Send an authenticated HTTP request to the /action/wirelessConnect endpoint with a malicious ssid_hex parameter containing crafted format string specifiers.

An example of a crafted HTTP request exploiting this vulnerability

POST /action/wirelessConnect HTTP/1.1
Host: vulnerable-device
Content-Type: application/x-www-form-urlencoded
Cookie: auth_token=my_auth_token

ssid_hex=%2525x%2525x%2525x%2525n&...other_params...

Affected Versions

Abode Systems, Inc. iota All-In-One Security Kit 6.9Z and 6.9X are known to be affected by these vulnerabilities.

Mitigation

Users are encouraged to update their devices to the latest firmware version provided by Abode Systems, Inc. Additionally, follow best practices to secure IoT devices, e.g., change default device usernames/passwords, ensure the security of your local network, and use a separate VLAN for IoT devices.

References

For more information on these vulnerabilities and mitigation steps, please refer to the original CVE report (CVE-2022-35884) and the Abode Systems, Inc. security advisory here.

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/27/2022 15:17:00 UTC