CVE-2022-35885: Four Format String Injection Vulnerabilities in Abode iota All-In-One Security Kit

Abode Systems, Inc.'s iota All-In-One Security Kit versions 6.9Z and 6.9X have been found to contain four format string injection vulnerabilities in the /action/wirelessConnect functionality of the web interface. When exploited, these vulnerabilities can result in memory corruption, information disclosure, and denial of service. An attacker can trigger these vulnerabilities with an authenticated HTTP request. In this post, we will discuss the details of the vulnerabilities, their impact, and the steps to mitigate them.

Vulnerability Details

The vulnerability (CVE-2022-35885) arises from the format string injection via the wpapsk_hex HTTP parameter, as used within the /action/wirelessConnect handler. This injection leads to memory corruption, information disclosure, and denial of service.

The following code snippet illustrates the format string vulnerability in the /action/wirelessConnect handler:

if (strcmp(protocol, "WPA2PSK-AES") || strcmp(protocol, "WPA-WPA2PSK-TKIP-AES")) {
 strncpy(wpapsk_hex, ssid, sizeof_wpapsk_hex);
 strncat(wpapsk_hex, wpapsk, sizeof_wpapsk_hex - strlen(wpapsk_hex) - 1);
}

In this code, the wpapsk_hex parameter can be manipulated by the attacker to inject format string characters like %x and %n into the string, causing unintended behavior in the application.

Exploit Details

To exploit this vulnerability, an attacker needs to make an authenticated HTTP request to the targeted Abode iota Security Kit device. This can be achieved by intercepting an HTTP request and then modifying the wpapsk_hex parameter with the format string characters.

For example, the attacker could modify the HTTP request as follows

POST /action/wirelessConnect HTTP/1.1
Host: target-device-ip
Content-Type: application/x-www-form-urlencoded

protocol=WPA2PSK-AES&wpapsk_hex=%x%x%n&...

By injecting format string characters into the wpapsk_hex parameter, the attacker could potentially corrupt the memory, reveal sensitive information, or cause denial of service.

Mitigations

Abode Systems, Inc. has been notified of these vulnerabilities. Users of the impacted iota All-In-One Security Kit versions 6.9Z and 6.9X should keep an eye out for updates and patches from the vendor.

Conclusion

The discovery of the CVE-2022-35885 vulnerability in Abode Systems, Inc.'s iota All-In-One Security Kit serves as a reminder to both users and developers to exercise caution when developing and configuring web-based applications. Ensuring secure coding practices and keeping software up-to-date are crucial steps in preventing potential cyber attacks.

Original References

1. CVE-2022-35885 in NIST NVD
2. MITRE CVE-2022-35885
3. Abode Systems, Inc. iota All-In-One Security Kit

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/27/2022 15:18:00 UTC