ecobee3 lite Heap Overflow

Unranked
Advisory IDL9-15-330PublishedJune 28, 2021UpdatedAugust 19, 2021
CategoryHeap-based Buffer OverflowVendorecobeeProductecobee3 liteVersion4.5.81.200

Risk Summary

A heap overflow vulnerability exists in the 'HKProcessConfig' function that overflows inside the HKWAC object. This object is responsible for managing the Homekit Wireless Access Control setup process. A threat actor can craft a malicious payload to control values inside the object causing the ecobee3 device to connect to a separate WiFi access point.

Given the nature of memory attacks, it may be possible to extend this attack further to achieve code execution.

Technical Details

The Wireless Access Configuration (WAC) server is present on the ecobee3 device on TCP port 1200. Usually this function is employed when connecting the device to a WiFi access point during initial setup via an iOS device. However, this service remains present after the device has been connected to a wireless network leaving it vulnerable to attack.

A threat actor can send a POST request to the endpoint ‘http://<thermostat_ip>:1200/config’ with a request body that is greater than 512 bytes, resulting in an overflow of the HKWAC object. The HKWAC object is provisioned with 604 bytes, therefore any requests larger than 604 bytes results in the next object on the heap being corrupted, which could be a path to achieve code execution.

Vulnerable HKWAC object

Vulnerable HKWAC object

HKWAC object as initially provisioned

HKWAC object as initially provisioned

However, a threat actor can send a payload greater than 512 bytes but less than 604 to control specific elements of the HKWAC object including flags which are used to validate whether previous steps of the WAC process have been complete, such as if the ecobee3 is in 'Access Point' (AP) mode. By exploiting the structure, a threat actor can 'trick' the ecobee3 into accepting a new WiFi access configuration resulting in the device disconnecting from the current access point and connecting to a threat actor controlled access point.

Overflow

Overflow

Flags checked in HKWAC object

Flags checked in HKWAC object

Byte 592 calls HKWifiConnectSetup function

As an example, the device was connected to the SSID 'TheFlooNetwork' using the typical setup procedures. The research team then sent a crafted payload which overflowed the HKWAC object and caused the device to connect to the SSID 'hackpi'. The payload did not require authentication, and could potentially be used in cross-site request forgery (CSRF) attacks.

ecobee3 lite connected to "TheFlooNetwork"

Network connection

Payload sent to device causing it to change WiFi access points

Payload

Serial output shows device chaning to "hackpi" WiFi access point

Device chaning WiFi access point

Request sent on new access point to "/configured" to compelte the setup

Complete setup request

Serial output shows the device completing the setup process

Device completing the setup process

Device is confirmed on "hackpi" access point

Device on "hackpi" access point