CVE-2015-2868
An exploitable remote code execution vulnerability exists in the Trane ComfortLink II DSS service. An attacker who can connect to the DSS service on the Trane ComfortLink II device can send an overly long request that can overflow a fixed size stack buffer, resulting in arbitrary code execution.
Trane ComfortLink II - firmware version 2.0.2
http://www.trane.com/residential/products/thermostats-and-controls/comfortlink%E2%84%A2%20ii-thermostats-and-controls
The crash below is in the request parsing functionality of the DSS service:
# Crash 1
# data = "A"*200
# s.write("#{data}\r\n")
# Program received signal SIGSEGV, Segmentation fault.
# 0x41414140 in ?? ()
# (gdb) bt
# 0 0x41414140 in ?? ()
# 1 0x00008c38 in iHer_discProParseRequest ()
# 2 0x41414140 in ?? ()
# 3 0x41414140 in ?? ()
The below code is a partially decompiled representation of the iHer_discProParseRequest function:
int __fastcall iHer_discProParseRequest(int a1, const char *a2)
{
int v2; // r8@1
const char *v3; // r7@1
signed int v4; // r6@2
size_t v5; // r4@8
int v6; // r3@12
char s1; // [sp+6h] [bp-4Ah]@1
char s; // [sp+7h] [bp-49h]@1
char v10; // [sp+8h] [bp-48h]@6
char v11; // [sp+9h] [bp-47h]@7
v2 = a1;
v3 = a2;
s1 = 0;
memset(&s, 0, 0x31u);
sscanf(v3, "%s", &s1);
-- snip --
We can see here there is usage of sscanf which is an unsafe function that performs an unbounded copy of user input into a fixed size stack buffer, resulting in a buffer overflow.
2014-04-09 - Initial contact with Trane is established. Advisories delivered.
2014-06-03 - Second attempt to contact Trane for follow up. No response received.
2014-08-15 - Third attempt to made to contact Trane for follow up. No response received.
2014-09-30 - Fourth attempt to contact Trane is made. Advisories re-sent. No further correspondence.
2015-05-26 - CERT/CC notified. CERT attempts to establish contact with Trans, but received no response.
2015-07-13 - Fifth and final attempt to contact Trane is made. Communication is reestablished and advisories re-sent.
2015-08-19 - Talos follows up with Trane. No patch available.
2015-09-30 - Talos follows up with Trane again. No patch available.
2015-10-19 - Talos follows up with Trane again. No patch available.
2016-01-26 - Talos follows up with Trane again. Trane informs Talos that firmware version 4.0.3 is being released that week which addressesTALOS-2015-028.
2016-01-27 - Trane makes firmware version 4.0.3 available to the public.
2016-02-08 - Talos and CERT/CC disclose these vulnerabilities.
Discovered by Matt Watchinski and Christopher McBee of Cisco Talos