Sonos Smart Speaker Vulnerability Let Attackers Execute Remote Code

Within the starting of August 2024, Sonos released a security advisory in which they mounted two security vulnerabilities that were connected to Distant Code Execution. These vulnerabilities had been assigned with CVE-2023-50810 and CVE-2023-50809.

These vulnerabilities were existing in Sonos One and Sonos Expertise-100 Bluetooth audio system which would possibly well presumably enable a threat actor to file the microphone and originate covert audio grab.

As smartly as to this, these vulnerabilities can additionally be leveraged to compromise the kernel over the air and additionally turn the machine correct into a wiretap taking pictures your complete audio all throughout the machine’s vary.

Nevertheless, this particular exploitation formulation became presented within the Dusky Hat USA 2024 convention.

Sonos Dapper Speaker Vulnerability

In line with the stories shared with Cyber Security Files, CVE-2023-50809 became connected to WPA2 Handshake in which the KeyData parameter feeble within the aim has a gtk_length parameter that is given the tag 255.

Nevertheless, there became no maximum amble restrict space for the parameter. This particular lack of check became feeble for Overflow attacks.

In insist to trigger the worm, there had been quite a lot of stipulations corresponding to

• Keydata ought to aloof be efficiently decrypted which can not be completed in WPA2 till the Snonce and Anonce are exchanged
• The Inclined aim ought to aloof be resulted in in Message 3 (M3) and
• The wpa_supplicant can even be feeble in AP mode.

On efficiently bypassing and truing all these stipulations, the Sonos machine resulted in a Wreck that resulted in the PC being controlled. The Downstream corruption became mitigated by adding extra IEs to exit aim early.

Sonos One – Over-The-Air Vulnerability

Extra than one vulnerable create patterns were identified all throughout the code path that handled and parsed WPA key fabric.

One of many basic create sample points became the WpaParseEapolKeyData aim which became feeble within the WPA2 four-formulation handshake route of.

This contains quite a lot of vulnerabilities that can even be chained collectively to set up a stack buffer overflow. Two points made this conceivable.

One became an contaminated input validation of IE dimension and the assorted became the unchecked maximum dimension of the GTK IE Length.

To create a short overview, the KdenLen variable became not checked for integer overflow, which resulted in the condition that the data part’s dimension discipline became smaller than 6.

This additionally prompted a copy unparalleled greater than the 32-byte GTK stack buffer, ensuing in stack buffer overflow.

The second concern exists as a consequence of the keyData parameter that became copied into the gtk_buf stack buffer which did not validate to review if the tag just isn’t up to or equal to gtk_buf‘s maximum dimension (32-bytes).

On chaining these two points, a malformed recordsdata part became created that feeble the underflow and contaminated validation stipulations to trigger a copy of a tag that exceeds the maximum GTK buffer dimension.

Background Of This Attack

The WPA2 four-formulation handshake contains a complete of 4 packets which would possibly well presumably be exchanged between shopper and the salvage admission to point.

Some of the necessary necessary recordsdata inquisitive about these units’ handshake are Anonce and Snonce (random values generated by each and each units), the SSID, and the pre-shared Key (PSA).

Among these the PSA just isn’t shared over the air however not straight feeble by the shopper and the salvage admission to explain compute Pairwise Grasp Key (PMK) the usage of PBKDF2.

As a topic of truth, as soon as a minimal required recordsdata became exchanged between the shopper and the router (Anonce, Snonce), the subsequent handshake contained extra recordsdata parts that were encrypted with the computed key fabric.

Pivoting The Permission

As soon as the distant code execution became carried out, the researchers tested for pivoting their salvage admission to to fabricate extra permissions and capabilities over the compromised machine.

This became completed by acquiring the Pointer EAPOL (Extensible Authentication Protocol over LAN), Adjusting the stack pointer and EAPOL pointer and pivoting with the modified stack pointer.

As soon as inside, the researchers feeble the set_memory_x which became an arbitrary virtual take care of location that can even be marked as executable. This set_memory_x aim became equipped with the EAPOL pointer that will manufacture the Heap.

The code execution and shellcode became got by the usage of the call_usermodehelper within the kernel with the run_cmd.

Nevertheless, post-exploitation ways spellbinding, telnetting the payload into busybox which equipped the aptitude to covertly grab the audio from the machine’s proximity.

A demo of the exploit and Rust implant can even be learned here.

Sonos Expertise-100 – Reliable Boot Bypass

This vulnerability exists as a consequence of 3 points within the Sonos Expertise-100 U-Boot. The concern wre connected to the use of modified U-boot implementation which makes use of locked down with password and restricted commands.

Additionally, the Expertise-100 U-Boot is encrypted the usage of keys in EL3 that doesn’t yet bear R/W means on eMMC (embedded MultiMediaCard).

• The first concern became attempting to load env from flash at offset 0x500000 where the CONFIG_ENV_IS_NOWHERE just isn’t space and permits setting of “bootcmd”.
• The second concern became connected to sonosboot that became accountable for loading and validating kernel and then passing to “bootm“. Extra, the bootm makes use of u-boot env and passes to the linux kernel.
• The third concern became linked to the abuse of Personalized Sonos listing header which is continually loaded at take care of 0x100000. Additionally, the kernel_offset is usually 0x40 however not enforced by u-boot and additionally permits the signature check to pass ensuing in a shell within the context of /init (root).

Furthermore, a complete presentation that became presented at Dusky Hat USA 2024 can even be learned here. The whitepaper published by the researchers of NCCGroup can even be learned on this hyperlink.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access