Sonos Smart Speaker Vulnerability Let Attackers Execute Remote Code


In the beginning of August 2024, Sonos released a security advisory in which they fixed two security vulnerabilities that were associated with Remote Code Execution. These vulnerabilities have been assigned with CVE-2023-50810 and CVE-2023-50809. 

These vulnerabilities were existing in Sonos One and Sonos Era-100 Bluetooth speakers which could allow a threat actor to record the microphone and obtain covert audio capture.

EHA

In addition to this, these vulnerabilities can also be leveraged to compromise the kernel over the air and also turn the device into a wiretap capturing all the audio within the device’s range.

However, this particular exploitation method was presented in the Black Hat USA 2024 conference.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

Sonos Smart Speaker Vulnerability

According to the reports shared with Cyber Security News, CVE-2023-50809 was associated with WPA2 Handshake in which the KeyData parameter used in the function has a gtk_length parameter that is given the value 255.

However, there was no maximum bound limit set for the parameter. This particular lack of check was used for Overflow attacks.

In order to trigger the bug, there were several conditions such as 

  • Keydata must be successfully decrypted which cannot be done in WPA2 until the Snonce and Anonce are exchanged
  • The Vulnerable function must be triggered in Message 3 (M3) and
  • The wpa_supplicant can be used in AP mode.

On successfully bypassing and truing all these conditions, the Sonos device resulted in a Crash that led to the PC being controlled. The Downstream corruption was mitigated by adding extra IEs to exit function early.  

Sonos One – Over-The-Air Vulnerability

Multiple vulnerable design patterns were identified within the code path that handled and parsed WPA key material.

One of the notable design pattern issues was the WpaParseEapolKeyData function which was used in the WPA2 four-way handshake process. 

This consists of several vulnerabilities that can be chained together to achieve a stack buffer overflow. Two issues made this possible.

One was an improper input validation of IE length and the other was the unchecked maximum length of the GTK IE Length. 

To provide a brief overview, the KdenLen variable was not checked for integer overflow, which led to the condition that the information element’s length field was smaller than 6.

This also caused a copy much larger than the 32-byte GTK stack buffer, resulting in stack buffer overflow.

The second issue exists due to the keyData parameter that was copied into the gtk_buf stack buffer which did not validate to check if the value is less than or equal to gtk_buf‘s maximum size (32-bytes).

Crashdump (Source: NCCGroup)

On chaining these two issues, a malformed information element was created that used the underflow and improper validation conditions to trigger a copy of a value that exceeds the maximum GTK buffer length. 

Background Of This Attack

Attack Methodology (Source: NCCGroup)

The WPA2 four-way handshake consists of a total of 4 packets that are exchanged between client and the access point.

Some of the important information involved in these devices’ handshake are Anonce and Snonce (random values generated by both devices), the SSID, and the pre-shared Key (PSA). 

Among these the PSA is not shared over the air but indirectly used by the client and the access point to compute Pairwise Master Key (PMK) using PBKDF2.

As a matter of fact, once a minimum required information was exchanged between the client and the router (Anonce, Snonce), the subsequent handshake contained additional information elements that were encrypted with the computed key material. 

Pivoting The Permission

Once the remote code execution was achieved, the researchers tested for pivoting their access to gain additional permissions and capabilities over the compromised device.

This was done by acquiring the Pointer EAPOL (Extensible Authentication Protocol over LAN), Adjusting the stack pointer and EAPOL pointer and pivoting with the modified stack pointer.

Once inside, the researchers used the set_memory_x which was an arbitrary virtual address space that can be marked as executable. This set_memory_x function was supplied with the EAPOL pointer that will execute the Heap. 

The code execution and shellcode was obtained by using the call_usermodehelper in the kernel with the run_cmd.

However, post-exploitation techniques involved, telnetting the payload into busybox which provided the capability to covertly capture the audio from the device’s proximity.

A demo of the exploit and Rust implant can be found here.

Exploited Sonos Device with UI to Capture and Download Microphone (Source: NCCGroup)

Sonos Era-100 – Secure Boot Bypass

This vulnerability exists due to three issues in the Sonos Era-100 U-Boot. The issue wre related to the use of modified U-boot implementation which uses locked down with password and restricted commands.

Additionally, the Era-100 U-Boot is encrypted using keys in EL3 that doesn’t yet have R/W capability on eMMC (embedded MultiMediaCard).

  • The first issue was trying to load env from flash at offset 0x500000 where the CONFIG_ENV_IS_NOWHERE is not set and allows setting of “bootcmd”. 
  • The second issue was associated with sonosboot that was responsible for loading and validating kernel and then passing to “bootm“. Further, the bootm uses u-boot env and passes to the linux kernel. 
  • The third issue was linked to the abuse of Custom Sonos image header which is always loaded at address 0x100000. Additionally, the kernel_offset is normally 0x40 but not enforced by u-boot and also allows the signature check to pass resulting in a shell in the context of /init (root).

Furthermore, a complete presentation that was presented at Black Hat USA 2024 can be found here. The whitepaper published by the researchers of NCCGroup can be found in this link.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access



Source link