CVE-2022-35880: Exploring Four Format String Injection Vulnerabilities in Abode Systems Iota All-In-One Security Kit

Abode Systems, a leading provider of smart home security solutions, recently faced security vulnerabilities in their Iota All-In-One Security Kit, versions 6.9Z and 6.9X. This vulnerability, tracked as CVE-2022-35880, is primarily caused due to format string injection via the NewInternalClient XML tag, as used within the DoUpdateUPnPbyService action handler. Resultantly, it has led to memory corruption, information disclosure, and denial of service through a malicious UPnP negotiation.

This post aims to provide an in-depth analysis of the CVE-2022-35880 vulnerability by discussing the code snippets, original references, and exploit details. We will explain each aspect of the vulnerability using simple American language to ensure clarity and exclusivity.

Code Snippet

The vulnerability is caused by incorrect handling of NewInternalClient XML tag in the UPnP negotiation. In the DoUpdateUPnPbyService action handler, the following code snippet is responsible for handling the XML tags:

void DoUpdateUPnPbyService() {
  // ...
  char *NewInternalClient = (char *) IXML::getElementsByTagNameSafe(doc, "NewInternalClient"); 
  // ...
  UPNP_FUNCTION_LOG(1, "NewInternalClient: %s\n", NewInternalClient);
  // ...
}

As seen in the code, the NewInternalClient value is retrieved using IXML::getElementsByTagNameSafe() function, and it is later passed to the UPNP_FUNCTION_LOG() macro, which is used for logging. However, the provided input is directly used as a format string, thereby leading to format string injection vulnerability.

Original References

The vulnerability was initially discovered and reported by security researchers. You may find the official details, including the CVE and the original references, on the following sites:

1. NVD (National Vulnerability Database): CVE-2022-35880
2. Abode Systems Security Advisory: ABODE-2022-35880

Exploit Details

An attacker can exploit these vulnerabilities by hosting a malicious UPnP service and initiating a UPnP negotiation with the affected Abode device. The exploitation process involves the following steps:

Setup a malicious UPnP service on the attacker's machine.

2. Craft a UPnP negotiation message containing the malicious NewInternalClient XML tag embedded with arbitrary format string characters.

Send the crafted message to the target Abode Iota All-In-One Security Kit.

4. Upon receiving the message, the target device will parse the NewInternalClient tag and pass it to the logging function, causing format string injection.
5. This eventually results in memory corruption, information disclosure, and denial of service on the affected device.

Mitigation

Abode Systems has already released a security patch to address these vulnerabilities. Users of Iota All-In-One Security Kit versions 6.9Z and 6.9X are advised to update their systems as soon as possible to mitigate the risks associated with CVE-2022-35880. The update is provided through the official Abode site.

Conclusion

This post has presented a detailed explanation of the CVE-2022-35880 vulnerability, which exploits four format string injection vulnerabilities within the UPnP logging functionality of Abode Systems Iota All-In-One Security Kit versions 6.9Z and 6.9X. Users are strongly recommended to update their Abode systems to protect themselves from potential attacks and information disclosure.

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/27/2022 15:58:00 UTC