CVE-2022-35886 - Four Format String Injection Vulnerabilities in Abode Systems iota All-in-One Security Kit

The Common Vulnerabilities and Exposures (CVE) system has identified a new vulnerability, CVE-2022-35886, that affects the web interface of Abode Systems, Inc. iota All-In-One Security Kit versions 6.9Z and 6.9X. This post aims to provide a comprehensive overview of the vulnerability, including analysis, code snippets, links to original references, and exploit details.

Vulnerability Details

CVE-2022-35886 pertains to four format string injection vulnerabilities that exist in the web interface /action/wirelessConnect functionality of the affected Abode Systems iota All-In-One Security Kit products. When exploited, these vulnerabilities can lead to memory corruption, information disclosure, and denial of service in the targeted system.

An attacker can trigger these vulnerabilities by making an authenticated HTTP request, which contains malicious data within the default_key_id and key HTTP parameters. These format string injections occur within the /action/wirelessConnect handler and can allow remote attackers to compromise the targeted security kit's integrity and data confidentiality.

Code Snippet

The vulnerabilities stem from the unsafe use of format string specifiers within the wirelessConnect functionality. A code snippet illustrating this issue is provided below:

// vulnerable code in /action/wirelessConnect handler
int wirelessConnect_handler(http_request *request) {
  char response[1024] = {};
  char default_key_id[32] = {};
  char key[64] = {};

  // Retrieve the 'default_key_id' and 'key' parameters from the HTTP request
  get_http_parameter(request, "default_key_id", default_key_id, sizeof(default_key_id));
  get_http_parameter(request, "key", key, sizeof(key));

  // Unsafe usage of format string specifiers
  snprintf(response, sizeof(response), "Connecting to wireless network with default_key_id: %s and key: %s", default_key_id, key);

  // ... (rest of the code)

  return ;
}

In this code snippet, the snprintf function is used improperly, allowing for an attacker to inject custom format string specifiers via the input parameters, leading to the aforementioned vulnerabilities.

Exploit Details

In order to exploit these vulnerabilities, an attacker needs to craft an authenticated HTTP request containing malicious payloads in the default_key_id and key parameters, like so:

POST /action/wirelessConnect HTTP/1.1
Host: target-host
Content-Length: 100
Content-Type: application/x-www-form-urlencoded

default_key_id=%x.%x.%x.%x&key=%s

Using this exploit, the attacker can cause the system to read and write arbitrary memory locations or disclose sensitive information, depending on the chosen format string specifiers.

The following references provide more in-depth analysis and discussions about CVE-2022-35886

- CVE-2022-35886: Abode Systems iota All-In-One Security Kit Web Interface Format String Injection Vulnerability (NVD entry)
- Abode Systems iota All-In-One Security Kit Vulnerability Disclosure (Original disclosure)
- Exploiting Format String Injection Vulnerabilities (Guide to format string exploitation)

Conclusion

The format string injection vulnerabilities in Abode Systems iota All-In-One Security Kit web interface (CVE-2022-35886) are critical security issues that can compromise the security of these devices. It is strongly recommended that users of the affected products update to the latest firmware version as soon as possible to mitigate the risks associated with this vulnerability. To protect yourself from such vulnerabilities, always practice secure coding techniques and follow security best practices, such as regularly reviewing and testing code for potential weaknesses.

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/27/2022 15:18:00 UTC