https://bit.ly/3Op1x2F - 🔎 Sternum recently reverse-engineered the Wemo Mini Smart Plug V2, a popular device aiding users in remote control of electric devices. A buffer overflow vulnerability, coined as the 'FriendlyName', was discovered which could potentially be used for remote command injection. #Wemo #SmartPlug #CyberSecurity 🔧 Gaining firmware access to the device was a challenge, but through booting into recovery mode and changing the root password, Sternum gained system access. Various tools were then uploaded to the device for debugging purposes. #Firmware #Debugging 🐞 The 'FriendlyName' vulnerability was pinpointed after bypassing app restrictions and identifying the processes handling this variable. However, uncovering the exact source of heap metadata corruption required more in-depth analysis. #Vulnerability #HeapCorruption 🎯 The breaking point was identified via a gdb script tracking down the bug causing heap corruption. Observing the $pc pointer's behaviour during an overflow incident shed light on the potential exploitation of the vulnerability. #Exploit #ROPchains 💻 Sternum exploited the vulnerability using a binary exploitation technique known as ROP chains. Despite limitations due to the Wemo_ctrl loading address and the 80-byte payload size, a successful command injection was achieved through the snprintf() function. #BinaryExploitation #CommandInjection 📬 Sternum disclosed the vulnerability to Belkin via Bugcrowd on January 9th, 2023. However, Belkin responded stating that the device is at the end of its life and will not address the vulnerability. This leaves a potential attack vector open via the Wemo infrastructure. #Disclosure #SecurityAdvisory ⚠️ Users are advised to exercise caution when using Wemo Mini Smart Plug V2 due to the unaddressed 'FriendlyName' vulnerability.

Why application crashing with HeapCorruption failure?

Why application crashing with HeapCorruption failure?

What’s a Heap?

Before understanding HeapCorruption here’s a quick review of the Heap. The HeapCreate function creates a private heap object from which the calling process can allocate memory blocks by using the HeapAlloc function. HeapCreate specifies both an initial size and a maximum size for the heap. The initial size determines the number of committed, read/write pages initially allocated for…

View On WordPress

Why an application hung after enabling PageHeap using GFlags

Why an application hung after enabling PageHeap using GFlags

Issue

Recently a colleague asked this question. They had a customer who was experiencing a heap corruption so as expected we enabled PageHeap but there was a catch. The application had to run for a long time (around 30 days) in order to reproduce the crash and we had no idea what’s causing the crash.

We can enable standard PageHeap using following command run from an admin command prompt: gflags…

View On WordPress