Couple OOB Writes in Anker Eufy Homebase 2

We discussed this vulnerability during Episode 104 on 30 November 2021

In the recv_server-device_response_msg_process() handler, a nums field gets pulled out of the packet’s JSON payload, and is used to represent the total number of UDP server domains. The application then iterates based on this field, looking for its respective domain%d key in the JSON. If the key is found, the value (maximum of 0x80 bytes) is copied out to an offset calculated based on the current iteration count.

As there is no bounds checking, and the destination is a fixed size region of memory, by proving a high nums value attacker controlled data can be written well beyond the expected memory region. Additionally as the loop will not write any data if the domain%d an exploit could avoid smashing too much data on the way ot a desired target by providing an high nums value and only one domain%d value.

This same bug also exists in the read_udp_push_config_file() path.