Three Buffer Overflows, an OOB read, and a Type Confusion within Mercedes-Benz Cars

We discussed this vulnerability during Episode 77 on 18 May 2021

Plenty of background here, both in terms of software, architecture, and testing environment. Probably worth checking out if you want to get into car hacking. The vulnerabilities covered are in the HiQNet protocol. Three of them are a count field not being validated, allocating a fixed buffer, and reading an “unlimited” count of things into them. One was an unchecked length field in the proto header, it would use this to skip in memory to the next message, so an attacker gets an OOB read out of it. The most interesting vulnerability was a type confusion in MultiSvSetAttributes where you can set multiple attributes of an Sv object. For each attribute id you also provide a new type and new value. It’ll dereference the memory and treat it as the new type setting its default value before writing the new value to it. Because it doesn’t actually convert or otherwise deal with changing types, if the new type is larger than the old type you’ll get a potential overflow from the confusion.

They also go into exploiting this, using the vulnerability to corrupt a string’s length field to get a read primitive and leak addresses for ASLR defeat, and corrupting a vtable entry for code execution.