Talos Vulnerability Report

TALOS-2016-0026

Trane ComfortLink II DSS Service Request Handling Remote Code Execution Vulnerability

February 8, 2016

Report ID

CVE-2015-2868

Description

An exploitable remote code execution vulnerability exists in the Trane ComfortLink II DSS service. An attacker who can connect to the DSS service on the Trane ComfortLink II device can send an overly long request that can overflow a fixed size stack buffer, resulting in arbitrary code execution.

Tested Versions

Trane ComfortLink II - firmware version 2.0.2

Product URLs

http://www.trane.com/residential/products/thermostats-and-controls/comfortlink%E2%84%A2%20ii-thermostats-and-controls

Details

The crash below is in the request parsing functionality of the DSS service:

# Crash 1
# data = "A"*200
# s.write("#{data}\r\n")
# Program received signal SIGSEGV, Segmentation fault.
# 0x41414140 in ?? ()
# (gdb) bt
# 0  0x41414140 in ?? ()
# 1  0x00008c38 in iHer_discProParseRequest ()
# 2  0x41414140 in ?? ()
# 3  0x41414140 in ?? ()

The below code is a partially decompiled representation of the iHer_discProParseRequest function:

int __fastcall iHer_discProParseRequest(int a1, const char *a2)
{
  int v2; // r8@1
  const char *v3; // r7@1
  signed int v4; // r6@2
  size_t v5; // r4@8
  int v6; // r3@12
  char s1; // [sp+6h] [bp-4Ah]@1
  char s; // [sp+7h] [bp-49h]@1
  char v10; // [sp+8h] [bp-48h]@6
  char v11; // [sp+9h] [bp-47h]@7


  v2 = a1;
  v3 = a2;
  s1 = 0;
  memset(&s, 0, 0x31u);
  sscanf(v3, "%s", &s1);
-- snip --

We can see here there is usage of sscanf which is an unsafe function that performs an unbounded copy of user input into a fixed size stack buffer, resulting in a buffer overflow.

Credit

Discovered by Matt Watchinski and Christopher McBee of Cisco Talos

Timeline

2014-04-09 - Initial contact with Trane is established. Advisories delivered.
2014-06-03 - Second attempt to contact Trane for follow up. No response received.
2014-08-15 - Third attempt to made to contact Trane for follow up. No response received.
2014-09-30 - Fourth attempt to contact Trane is made. Advisories re-sent. No further correspondence.
2015-05-26 - CERT/CC notified. CERT attempts to establish contact with Trane, but receives no response.
2015-07-13 - Fifth and final attempt to contact Trane is made. Communication is reestablished. Advisories re-sent.
2015-08-19 - Talos follows up with Trane. No patch available.
2015-09-30 - Talos follows up with Trane again. No patch available.
2015-10-19 - Talos follows up with Trane again. No patch available.
2016-01-26 - Talos follows up with Trane again. Trane informs Talos that firmware version 4.0.3 is being released that week which addresses TALOS-2015-028.
2016-01-27 - Trane makes firmware version 4.0.3 available to the public.
2016-02-08 - Talos and CERT/CC disclose these vulnerabilities.