From Pwn2Own Automotive: More Autel Maxicharger Vulnerabilities

Researchers from Computest Sector 7 and PHP Hooligans / Midnight Blue identified and exploited two stack-based buffer overflow vulnerabilities in the Autel Maxicharger firmware version 1.32 at Pwn2Own Automotive 2024. The first vulnerability, CVE-2024-23967, is caused by the decoding of base64 encoded data that can be controlled by an attacker, leading to a stack buffer overflow and remote code execution. The vulnerable function is responsible for handling ACMP messages received from a websockets server. Autel has deployed a firmware update, version 1.35, to address both vulnerabilities. The patch for the first vulnerability adds a length check to ensure the base64 encoded string is less than 1366 bytes before decoding it into a 1024-byte stack buffer. However, this patch is not ideal as it only protects against a buffer overflow in this specific function, and other code that may call the base64_decode function could introduce another buffer overflow. The second vulnerability, CVE-2024-23957, is caused by the decoding of a large hex string into a fixed-size stack buffer with no bounds checking. The vulnerable function is related to the Dynamic Load Balancing protocol that distributes a power load between a network of EV chargers. The patch for this vulnerability adds a length check to ensure the hex-encoded key length is less than 33 bytes before decoding it into a 16-byte stack buffer. Both patches are valid but could be more effective if the length of the output buffer was passed to the decoding functions so they can internally ensure a buffer overflow cannot happen. Autel's response to the vulnerabilities and release of a patch is a positive sign, but EV charger vendors need to improve their product security to mitigate safety risks.