"James Connor" jymbo@cromulence.com
Cromulence LLC (CROMU)
This is a software re-implementation of Thermal controller software and simulation, a heating element controller such as would be used in commercial oven, BBQ smoker, or other industrial control device.
The thermal controller is much more capable than the typical controller found in consumer level appliances such as stoves. Although it does contain static modes such a maintaining a set temperature, it also supports up to 10 temperature sensors, a smoke sensor, and a 10 step programmable thermal profile. The different program steps can be based on temperature triggers from any of the configured temperature probes, or can dwell at a fixed temperature for a programmed length of time. An ideal use of this controller would be in a competition BBQ smoker where different kinds of meat require finely tuned adjustments to temperature during the smoking process to result in proper breakdown of connective tissue, maintenance of moinsture, and control of the smoke generation. The controller was designed to be remotely operated using a separate "app" on a mobile device, and implements a binary protocol for this purprose. The controller was designed to be robust and rigorously checks that remote commands correctly configure the device.
A vulnerability exists when the history list is populated with too many entries and can cause a buffer overflow of the send buffer. The last 8-bytes of the sent information for a simulate command contains the ambient temperature and the last set temperature for the thermal controller. It is possible to arbitrarily control the set temperature by sending a program list with a negative value for type. Due to an incorrect check (a signed/unsigned error) allows arbitrary set temperatures to be written by avoiding the temperature range checks. Next it is possible to write an arbitrary ambient temperature, again, due to an incorrect comparison checked of signed data (failing to validate negative numbers). This ultimately results in the ability to overflow the send buffer (which is allocated on the stack) with two arbitrary 4-byte values that results in a type-1 POV when the return address for the get_command function is overwritten.
Vulnerability 1 of 1: Stack buffer overflow
Vulnerability 1 of 1: CWE-121 Stack-based Buffer Overflow
Authors Subjective Challenge Difficulty: Discovering: Medium Proving: Medium Fixing: Easy
This vulnerability is considered to be on the harder side of proving due to the conditions that are needed to properly trigger a type-1 vulnerability. Due to its nature fixing the vulnerability is a trivial as it involves fixing the type checks to unsigned values. There may be some difficulty for the CRS in discovering all of the initial conditions needed to trigger and prove the vulnerability in this service.
| Round | Source | Destination | Result | POV | Analysis | Video |
|---|---|---|---|---|---|---|
| 42 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 42 | CSDS | Disekt | Failed POV | POV | Watch | |
| 42 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 42 | CSDS | Shellphish | Failed POV | POV | Watch | |
| 42 | CSDS | TECHx | Failed POV | POV | Watch | |
| 42 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 42 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 42 | DeepRed | Disekt | Failed POV | POV | Watch | |
| 42 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 42 | DeepRed | Shellphish | Failed POV | POV | Watch | |
| 42 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 43 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 43 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 43 | CSDS | Disekt | Failed POV | POV | Watch | |
| 43 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 43 | CSDS | Shellphish | Failed POV | POV | Watch | |
| 43 | CSDS | TECHx | Failed POV | POV | Watch | |
| 43 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 43 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 43 | DeepRed | Disekt | Failed POV | POV | Watch | |
| 43 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 43 | DeepRed | Shellphish | Failed POV | POV | Watch | |
| 43 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 44 | CodeJitsu | Shellphish | Failed POV through defenses | POV | Watch | |
| 44 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 44 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 44 | CSDS | Disekt | Failed POV | POV | Watch | |
| 44 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 44 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 44 | CSDS | TECHx | Failed POV | POV | Watch | |
| 44 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 44 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 44 | DeepRed | Disekt | Failed POV | POV | Watch | |
| 44 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 44 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 44 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 45 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 45 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 45 | CSDS | Disekt | Failed POV | POV | Watch | |
| 45 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 45 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 45 | CSDS | TECHx | Failed POV | POV | Watch | |
| 45 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 45 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 45 | DeepRed | Disekt | Failed POV | POV | Watch | |
| 45 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 45 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 45 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 46 | CodeJitsu | Disekt | Failed POV through defenses | POV | Watch | |
| 46 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 46 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 46 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 46 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 46 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 46 | CSDS | TECHx | Failed POV | POV | Watch | |
| 46 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 46 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 46 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 46 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 46 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 46 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 47 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 47 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 47 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 47 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 47 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 47 | CSDS | TECHx | Failed POV | POV | Watch | |
| 47 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 47 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 47 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 47 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 47 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 47 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 48 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 48 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 48 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 48 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 48 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 48 | CSDS | TECHx | Failed POV | POV | Watch | |
| 48 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 48 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 48 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 48 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 48 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 48 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 49 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 49 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 49 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 49 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 49 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 49 | CSDS | TECHx | Failed POV | POV | Watch | |
| 49 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 49 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 49 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 49 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 49 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 49 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 50 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 50 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 50 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 50 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 50 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 50 | CSDS | TECHx | Failed POV | POV | Watch | |
| 50 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 50 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 50 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 50 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 50 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 50 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 51 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 51 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 51 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 51 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 51 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 51 | CSDS | TECHx | Failed POV | POV | Watch | |
| 51 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 51 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 51 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 51 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 51 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 51 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 52 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 52 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 52 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 52 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 52 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 52 | CSDS | TECHx | Failed POV | POV | Watch | |
| 52 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 52 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 52 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 52 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 52 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 52 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 53 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 53 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 53 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 53 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 53 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 53 | CSDS | TECHx | Failed POV | POV | Watch | |
| 53 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 53 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 53 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 53 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 53 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 53 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 54 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 54 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 54 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 54 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 54 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 54 | CSDS | TECHx | Failed POV | POV | Watch | |
| 54 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 54 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 54 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 54 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 54 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 54 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 55 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 55 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 55 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 55 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 55 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 55 | CSDS | TECHx | Failed POV | POV | Watch | |
| 55 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 55 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 55 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 55 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 55 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 55 | DeepRed | TECHx | Failed POV | POV | Watch |
Curated by Lunge Technology, LLC. Questions or comments? Send us email