Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-28592: TALOS-2020-1216 || Cisco Talos Intelligence Group

A heap-based buffer overflow vulnerability exists in the configuration server functionality of the Cosori Smart 5.8-Quart Air Fryer CS158-AF 1.1.0. A specially crafted JSON object can lead to remote code execution. An attacker can send a malicious packet to trigger this vulnerability.

CVE
#vulnerability#cisco#js#intel#rce#buffer_overflow#wifi

Summary

A heap-based buffer overflow vulnerability exists in the configuration server functionality of the Cosori Smart 5.8-Quart Air Fryer CS158-AF 1.1.0. A specially crafted JSON object can lead to remote code execution. An attacker can send a malicious packet to trigger this vulnerability.

Tested Versions

Cosori Smart 5.8-Quart Air Fryer CS158-AF 1.1.0

Product URLs

https://www.cosori.com/shop/cosori-smart-58-quart-air-fryer-cs158-af

CVSSv3 Score

8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

Details

The Cosori Smart Air Fryer is a WiFi-enabled kitchen appliance that allows user to activate the device remotely, look up recipe guides and monitor cooking status via the mobile application.

During the initial setup phase, the embedded ESP-01E-based device functions as a WiFi access point that must be associated with before the mobile application can register the device with the appropriate cloud servers. During thatthis registration process, information about the device is queried via mobile app such as nearby access points and the firmware version.

This communication occurs over TCP port 41234 and all traffic is encrypted JSON with a static, symmetric key and IV that is embedded with the firmware:

.user_data_seg_3:3FFE911E 6C 6C 77 61+aLlwantaesivv10 .ascii “llwantaesivv1.01llwantaeskey1.01”

Where
KEY = "llwantaeskey1.01"
IV = "llwantaesivv1.01"

A plaintext example of such a client request would be:

{"uri":  "/queryWifiList"}

Which would return a JSON object containing nearby access points that the Air Fryer can locate. When returning this object, the server replaces ‘query’ w/ ‘reply’ and it is printed as debug information:

[I]<Vesync>Handler tcp message !                                                            
[D]<Vesync>Found uri !                                                                      
[D]<Vesync>Send to app : {"uri":"/replyWifiList","result":0,"totalPage":1,"currentPage":1,"}
[D]<Vesync>Send to app msg len : 931                                                        

Crash Information

If an invalid request is made, an error message is printed to the console:

"uri":"/replyAa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9DDDD","err":"57"

During this process, only 104 bytes are allocated for the response. .user_rom:40100FB7 22 21 1A l32i , a2, a1, 0x68 # <– malloc 104 (0x68) bytes .user_rom:40100FBA 42 A0 70 movi , a4, 0x70 .user_rom:40100FBD 00 30 20 mov , a3, a0 .user_rom:40100FC0 85 D1 FF call0 , pvPortMalloc

Therefore, if the JSON “uri” value begins with “/query” but has at least an additional 60 bytes appended to it that are non-null, a heap overflow occurs and the execution pointer is restored to the last 4 bytes of the “/query<60_bytes>" and depending on the address, the device will crash or code execution at the specified address will continue.

[D]<Vesync>                                                                                                                                                                               
                                                                                                                                                                                  
    "uri":  "/queryAa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9DDDD"                                                                                                  
                                                                                                                                                                                  
[I]<Vesync>Handler tcp message !                                                                                                                                                          
[D]<Vesync>Found uri !                                                                                                                                                                    
[I]<Vesync>encrypt                                                                                                                                                                        
[D]<Vesync>TCP send to APP : {"uri":"/replyAa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9DDDD","err":"57"}
Fatal exception 0(IllegalInstructionCause):                                                                                                                                               
�pc1=0x44444444, epc2=0x00000000, epc3=0x00000000, excvaddr=0x00000000, depc=0x00000000

Timeline

2021-12-21 - Initial contact
2021-01-05 - 1st follow up
2021-02-17 - 2nd follow up
2021-03-29 - Final 90 day+ follow up
2021-04-15 - Public Release

Discovered by Dave McDaniel of Cisco Talos.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907