Vulnerabilities > CVE-2017-14452 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Insteon HUB Firmware 1012

047910
CVSS 8.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
insteon
CWE-119

Summary

An exploitable buffer overflow vulnerability exists in the PubNub message handler for the "control" channel of Insteon Hub running firmware version 1012. Specially crafted replies received from the PubNub service can cause buffer overflows on a global section overwriting arbitrary data. A strcpy overflows the buffer insteon_pubnub.channel_cc_r, which has a size of 16 bytes. An attacker can send an arbitrarily long "c_r" parameter in order to exploit this vulnerability. An attacker should impersonate PubNub and answer an HTTPS GET request to trigger this vulnerability.

Vulnerable Configurations

Part Description Count
OS
Insteon
1
Hardware
Insteon
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Seebug

bulletinFamilyexploit
description### Summary Multiple exploitable buffer overflow vulnerabilities exists in the PubNub message handler for the "control" channel of Insteon Hub running firmware version 1012. Specially crafted replies received from the PubNub service can cause buffer overflows on a global section overwriting arbitrary data. An attacker should impersonate PubNub and answer an HTTPS GET request to trigger this vulnerability. ### Tested Versions Insteon Hub 2245-222 - Firmware version 1012 ### Product URLs http://www.insteon.com/insteon-hub ### CVSSv3 Score 8.5 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H ### CWE CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') ### Details Insteon produces a series of devices aimed at controlling and monitoring a home: wall switches, led bulbs, thermostats, cameras, etc. One of those is Insteon Hub, a central controller which allows an end-user to use his smartphone to connect to his own house remotely and manage any other device through it. The Insteon Hub board utilizes several MCUs, the firmware in question is executed by a Microchip PIC32MX MCU, which has a MIPS32 architecture. The firmware uses Microchip's "Libraries for Applications" as core for the application code. Its functionality resides on a co-operative multitasking loop, which continuously executes all the existing tasks: the library already defines several tasks, e.g. for reading and sending network packets and calling the relative callbacks. Custom applications building on this library simply need to add new functions at the end of the loop, taking care of executing tasks as quickly as possible, or splitting them in several loop cycles, in order to let other tasks running smoothly. To enable remote interaction via the Internet, Insteon Hub uses an online service called PubNub (https://www.pubnub.com/). End-users install the "Insteon for Hub" application on their smartphone. Both the smartphone application and Insteon Hub include the PubNub SDK, which allows for a bi-directional communication using PubNub's REST API. The interaction with PubNub happens by means of publish/subscribe methods. Each device has a series of channels it can subscribe to, in order to receive published messages. To subscribe to a specific channel it's enough to call the function pubnub_subscribe (defined in the PubNub SDK), passing as parameter the channel name and a callback function that will be called when a message is received on the specified channel. The device defines a function which parses messages received from PubNub on channel "control": sub_9d053904. The function has a similar signature to the callbacks defined in PubNub's SDK. A peculiarity of this function is that it's only called after factory reset, in order to configure the device: a request is made to PubNub to retrieve channels and a key to use during normal operation, and PubNub should answer with a "JSON" containing these information. Example: ``` - device requests: https://prod.insteon.pubnub.com/subscribe/sub-c-e1c54032-1685-11e4-b69f-02ee2ddab7fe/HUB2-112233-control/0/1234567890?uuid=HUB2-112233&auth=00112233445566778899aabbccddeeff - PubNub answers: [ [{ "cc": "112233-cc", "cc_r": "112233-cc_r", "ad": "112233-ad", "ad_r": "112233-ad_r", "al": "hub2-alert", "ak": "AABBCCDDAABBCCDDAABBCCDDAABBCCDD" }], "0987654321"] ``` Note that "ak" is an authentication key represented as 16 hex-encoded bytes, while "112233" corresponds to the insteon-id (lower 3 octets of the MAC address). As we can see, PubNub answers with a "JSON" file containing 6 elements. The function sub_9d053904 simply has to parse this string and save it into a global object for later use. ``` seg000:9D053904 # void __cdecl sub_9D053904(void *pubnub_obj, int state, int http_code, char *channel, char *response, char *msgid, void *cb_data) seg000:9D053904 sub_9d053904: seg000:9D053904 seg000:9D053904 src = -0x48 seg000:9D053904 var_44 = -0x44 seg000:9D053904 var_40 = -0x40 seg000:9D053904 var_38 = -0x38 seg000:9D053904 pubnub_obj= -0x34 seg000:9D053904 channel_cc_ptr= -0x30 seg000:9D053904 var_28 = -0x28 seg000:9D053904 var_24 = -0x24 seg000:9D053904 var_20 = -0x20 seg000:9D053904 var_1C = -0x1C seg000:9D053904 var_18 = -0x18 seg000:9D053904 var_14 = -0x14 seg000:9D053904 var_10 = -0x10 seg000:9D053904 var_C = -0xC seg000:9D053904 var_8 = -8 seg000:9D053904 var_4 = -4 seg000:9D053904 response= 0x10 seg000:9D053904 msgid = 0x14 seg000:9D053904 cb_data = 0x18 seg000:9D053904 seg000:9D053904 000 A8 FF BD 27 addiu $sp, -0x58 ... seg000:9D053930 058 21 80 80 00 move $s0, $a0 # [1] ... seg000:9D053938 058 68 00 B2 8F lw $s2, 0x58+response($sp) # [2] ... seg000:9D05397C 058 00 00 42 82 lb $v0, 0($s2) seg000:9D053980 058 94 00 40 50 beqzl $v0, loc_9D053BD4 # [3] ... seg000:9D053988 058 B7 43 41 0F jal cJSON_Parse # [4] seg000:9D05398C 058 21 20 40 02 move $a0, $s2 seg000:9D053990 058 21 90 40 00 move $s2, $v0 seg000:9D053994 058 21 20 40 00 move $a0, $v0 seg000:9D053998 058 08 9D 05 3C lui $a1, 0x9D08 seg000:9D05399C 058 F3 43 41 0F jal cJSON_GetObjectItem # [5] seg000:9D0539A0 058 3C 9D A5 24 la $a1, aCc # "cc" seg000:9D0539A4 058 21 A8 40 00 move $s5, $v0 seg000:9D0539A8 058 21 20 40 02 move $a0, $s2 seg000:9D0539AC 058 08 9D 05 3C lui $a1, 0x9D08 seg000:9D0539B0 058 F3 43 41 0F jal cJSON_GetObjectItem # [6] seg000:9D0539B4 058 40 9D A5 24 la $a1, aCc_r # "cc_r" seg000:9D0539B8 058 21 B8 40 00 move $s7, $v0 seg000:9D0539BC 058 21 20 40 02 move $a0, $s2 seg000:9D0539C0 058 08 9D 05 3C lui $a1, 0x9D08 seg000:9D0539C4 058 F3 43 41 0F jal cJSON_GetObjectItem # [7] seg000:9D0539C8 058 48 9D A5 24 la $a1, aAd # "ad" seg000:9D0539CC 058 21 B0 40 00 move $s6, $v0 seg000:9D0539D0 058 21 20 40 02 move $a0, $s2 seg000:9D0539D4 058 08 9D 05 3C lui $a1, 0x9D08 seg000:9D0539D8 058 F3 43 41 0F jal cJSON_GetObjectItem # [8] seg000:9D0539DC 058 4C 9D A5 24 la $a1, aAd_r # "ad_r" seg000:9D0539E0 058 21 F0 40 00 move $fp, $v0 seg000:9D0539E4 058 21 20 40 02 move $a0, $s2 seg000:9D0539E8 058 08 9D 05 3C lui $a1, 0x9D08 seg000:9D0539EC 058 F3 43 41 0F jal cJSON_GetObjectItem # [9] seg000:9D0539F0 058 54 9D A5 24 la $a1, aAl # "al" seg000:9D0539F4 058 20 00 A2 AF sw $v0, 0x58+var_38($sp) seg000:9D0539F8 058 21 20 40 02 move $a0, $s2 seg000:9D0539FC 058 08 9D 05 3C lui $a1, 0x9D08 seg000:9D053A00 058 F3 43 41 0F jal cJSON_GetObjectItem # [10] seg000:9D053A04 058 58 9D A5 24 la $a1, aAk # "ak" seg000:9D053A08 058 67 00 A0 12 beqz $s5, loc_9D053BA8 seg000:9D053A0C 058 21 A0 40 00 move $s4, $v0 seg000:9D053A10 058 66 00 E0 52 beqzl $s7, loc_9D053BAC seg000:9D053A14 058 A4 00 05 8E lw $a1, pubnub.channel($s0) seg000:9D053A18 058 64 00 C0 52 beqzl $s6, loc_9D053BAC seg000:9D053A1C 058 A4 00 05 8E lw $a1, pubnub.channel($s0) seg000:9D053A20 058 61 00 C0 13 beqz $fp, loc_9D053BA8 seg000:9D053A24 058 20 00 A2 8F lw $v0, 0x58+var_38($sp) seg000:9D053A28 058 60 00 40 50 beqzl $v0, loc_9D053BAC seg000:9D053A2C 058 A4 00 05 8E lw $a1, pubnub.channel($s0) seg000:9D053A30 058 5E 00 80 52 beqzl $s4, loc_9D053BAC seg000:9D053A34 058 A4 00 05 8E lw $a1, pubnub.channel($s0) seg000:9D053A38 058 32 E2 41 0F jal strlen seg000:9D053A3C 058 10 00 A4 8E lw $a0, 0x10($s5) # [11] seg000:9D053A40 058 21 80 40 00 move $s0, $v0 seg000:9D053A44 058 32 E2 41 0F jal strlen seg000:9D053A48 058 10 00 C4 8E lw $a0, 0x10($s6) # [12] seg000:9D053A4C 058 21 80 02 02 addu $s0, $v0 seg000:9D053A50 058 02 00 10 26 addiu $s0, 2 seg000:9D053A54 058 20 00 10 2E sltiu $s0, 32 # [13] seg000:9D053A58 058 48 00 00 12 beqz $s0, loc_9D053B7C ... seg000:9D053A8C 058 48 00 22 26 addiu $v0, $s1, insteon_pubnub.channel_cc seg000:9D053A90 058 28 00 A2 AF sw $v0, 0x58+channel_cc_ptr($sp) seg000:9D053A94 058 21 20 40 00 move $a0, $v0 seg000:9D053A98 058 1F DF 41 0F jal strcpy # [14] seg000:9D053A9C 058 10 00 A5 8E lw $a1, 0x10($s5) seg000:9D053AA0 058 58 00 35 26 addiu $s5, $s1, insteon_pubnub.channel_ad seg000:9D053AA4 058 21 20 A0 02 move $a0, $s5 seg000:9D053AA8 058 1F DF 41 0F jal strcpy # [15] seg000:9D053AAC 058 10 00 C5 8E lw $a1, 0x10($s6) seg000:9D053AB0 058 68 00 36 26 addiu $s6, $s1, insteon_pubnub.channel_cc_r seg000:9D053AB4 058 21 20 C0 02 move $a0, $s6 seg000:9D053AB8 058 1F DF 41 0F jal strcpy # [16] seg000:9D053ABC 058 10 00 E5 8E lw $a1, 0x10($s7) seg000:9D053AC0 058 78 00 37 26 addiu $s7, $s1, insteon_pubnub.channel_ad_r seg000:9D053AC4 058 21 20 E0 02 move $a0, $s7 seg000:9D053AC8 058 1F DF 41 0F jal strcpy # [17] seg000:9D053ACC 058 10 00 C5 8F lw $a1, 0x58+src($fp) seg000:9D053AD0 058 88 00 30 26 addiu $s0, $s1, insteon_pubnub.channel_al seg000:9D053AD4 058 21 20 00 02 move $a0, $s0 seg000:9D053AD8 058 20 00 A2 8F lw $v0, 0x58+var_38($sp) seg000:9D053ADC 058 1F DF 41 0F jal strcpy # [18] seg000:9D053AE0 058 10 00 45 8C lw $a1, 0x10($v0) seg000:9D053AE4 058 D8 00 33 26 addiu $s3, $s1, insteon_pubnub.channel_ak seg000:9D053AE8 058 21 20 60 02 move $a0, $s3 seg000:9D053AEC 058 1F DF 41 0F jal strcpy # [19] seg000:9D053AF0 058 10 00 85 8E lw $a1, 0x10($s4) ``` The function stores at [1] the pointer to pubnub_obj, which contains data used to communicate with the remote PubNub servers. At [2] PubNub's answer is saved into $s2 and at [3] the code ensures that the answer is not empty. The answer is then passed to cJSON_Parse [4] and the resulting cJSON object is saved in $s2. The function then retrieves every expected element from the "JSON" ([5], [6], [7], [8], [9], [10]) and ensures that they exist. Each parameter is then copied into the global insteon_pubnub structure (which is at 0xa000d1bc) for later use. Note this structure is bigger than 0x1000 bytes and includes not only strings and callbacks pointers, but also 3 pubnub structures that again contain several string and function pointers. This clearly makes this buffer a good target for exploitation. As we can see at [14], [15], [16], [17], [18], [19], each parameter is copied unsafely using strcpy and this might be used by an attacker to overwrite portions of the insteon_pubnub structure and execute arbitrary code. However, despite the fact that the strcpy calls at [14] and [15] are unsafe, they turn out to be not exploitable, give the restriction imposed at [13]: the sum of the length of "cc" [11] and "ad" [12] must not exceed 29. This still allows for an overflow to occur but it will only overwrite a few bytes in the insteon_pubnub structure that an attacker already normally controls. The following is a list of vulnerable strcpy calls and their Proof-of-Concept. Each PoC shows only the payload portion of the request and uses the placeholder "OVERFLOW" to highlight the vulnerable parameter, which can be replaced with "A"*0x400 to make the device crash. A key with value "x" means that its value is irrelevant. #### CVE-2017-14452 - "cc_r" element The strcpy at [16] overflows the buffer insteon_pubnub.channel_cc_r, which has a size of 16 bytes. An attacker can send an arbitrarily long "cc_r" parameter [6] in order to exploit this vulnerability: ``` [[{"cc":"x","cc_r":"{OVERFLOW}","ad":"x","ad_r":"x","al":"x","ak":"x"}],"1"] ``` #### CVE-2017-14453 - "ad_r" element The strcpy at [17] overflows the buffer insteon_pubnub.channel_ad_r, which has a size of 16 bytes. An attacker can send an arbitrarily long "ad_r" parameter [8] in order to exploit this vulnerability: ``` [[{"cc":"x","cc_r":"x","ad":"x","ad_r":"{OVERFLOW}","al":"x","ak":"x"}],"1"] ``` #### CVE-2017-14454 - "al" element The strcpy at [18] overflows the buffer insteon_pubnub.channel_al, which has a size of 16 bytes. An attacker can send an arbitrarily long "al" parameter [9] in order to exploit this vulnerability: ``` [[{"cc":"x","cc_r":"x","ad":"x","ad_r":"x","al":"{OVERFLOW}","ak":"x"}],"1"] ``` #### CVE-2017-14455 - "ak" element The strcpy at [19] overflows the buffer insteon_pubnub.channel_ak, which has a size of 16 bytes. An attacker can send an arbitrarily long "ak" parameter [10] in order to exploit this vulnerability: ``` [[{"cc":"x","cc_r":"x","ad":"x","ad_r":"x","al":"x","ak":"{OVERFLOW}"}],"1"] ``` ### Timeline * 2017-12-05 - Vendor Disclosure * 2018-01-18 - Vendor advised issues under evaluation * 2018-02-12 - 60 day follow up with vendor * 2018-03-09 - Vendor advised working on course of action * 2018-04-06 - Follow up with vendor on fix/timeline * 2018-04-12 - Vendor advised issues addressed & plan for beta testing * 2018-06-19 - Public disclosure
idSSV:97360
last seen2018-06-26
modified2018-06-22
published2018-06-22
reporterMy Seebug
titleInsteon Hub PubNub control Channel Message Handler Code Execution Vulnerabilities(CVE-2017-14452~CVE-2017-14455)

Talos

idTALOS-2017-0502
last seen2019-05-29
published2018-06-19
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0502
titleInsteon Hub PubNub control Channel Message Handler Code Execution Vulnerabilities