https://bit.ly/3Op1x2F - 🔎 Sternum recently reverse-engineered the Wemo Mini Smart Plug V2, a popular device aiding users in remote control of electric devices. A buffer overflow vulnerability, coined as the 'FriendlyName', was discovered which could potentially be used for remote command injection. #Wemo #SmartPlug #CyberSecurity 🔧 Gaining firmware access to the device was a challenge, but through booting into recovery mode and changing the root password, Sternum gained system access. Various tools were then uploaded to the device for debugging purposes. #Firmware #Debugging 🐞 The 'FriendlyName' vulnerability was pinpointed after bypassing app restrictions and identifying the processes handling this variable. However, uncovering the exact source of heap metadata corruption required more in-depth analysis. #Vulnerability #HeapCorruption 🎯 The breaking point was identified via a gdb script tracking down the bug causing heap corruption. Observing the $pc pointer's behaviour during an overflow incident shed light on the potential exploitation of the vulnerability. #Exploit #ROPchains 💻 Sternum exploited the vulnerability using a binary exploitation technique known as ROP chains. Despite limitations due to the Wemo_ctrl loading address and the 80-byte payload size, a successful command injection was achieved through the snprintf() function. #BinaryExploitation #CommandInjection 📬 Sternum disclosed the vulnerability to Belkin via Bugcrowd on January 9th, 2023. However, Belkin responded stating that the device is at the end of its life and will not address the vulnerability. This leaves a potential attack vector open via the Wemo infrastructure. #Disclosure #SecurityAdvisory ⚠️ Users are advised to exercise caution when using Wemo Mini Smart Plug V2 due to the unaddressed 'FriendlyName' vulnerability.

If you ever wonder how CPU works then here it is in the simple language