Full Report
Pwn2Own has an automotive category for hacking cars. They decided to tackle the CHARX system because A) the product was very different from other similar products and B) the firmware was easy to obtain. It runs an embedded Linux on 32-bit ARM with SSH enabled for easy access. Much of the code on the system was compiled Python but they did find the Controller Service Agent that was written in C++. This device communicated between the various CHARX units, managed AC and a vehicle to grid protocol with comms over UDP, TCP and HomePlug Green PHY protocol. Much of the code on the system was compiled Python but they did find the Controller Service Agent that was written in C++. This device communicated between the various CHARX units, managed AC and a vehicle to grid protocol with comms over UDP, TCP and HomePlug Green PHY protocol. The first vulnerability they found was a null pointer dereference in the HomePlug Green PHY protocol. The parsing code for the minimal implementation was reading the size of a structure at bytes 4 and 5 instead of 5 and 6. As a result, some parsing goes haywire and eventually leads to a null pointer deref. Off by one strikes again! The second bug is more interesting. While using GDB, they found that the exit handlers were causing crashes to happen. In the C++ binary, many of the exit handlers are implicitly added by the compiler as static. Since these are global, the exit handlers need to close it out. Additionally, the binary has several signal handlers as well. The exit handlers for static objects seem to appear in random orders when not specified. The authors give a toy example where the destructor of one object type runs after another object type. Since the ordering is weird in this case, if one objects interactions with the other it can lead to a UAF! In the Controller Agent code, this exact bug occurs in a more complicated way. A list is already gone but trying to be accessed, leading to a UAF! Since we want this destructor to happen at will, the null pointer deference is a a perfect bug for us. In the second post, they go through the exploitation of this bug.
Analysis Summary
# Vulnerability: Phoenix Contact CHARX Controller Agent Memory Corruption
## CVE Details
- **CVE ID:** CVE-2024-26005 (Destructor UAF), CVE-2024-26003 (Null Pointer Dereference)
- **CVSS Score:** 8.8 (High) - per ZDI-24-861
- **CWE:** CWE-416 (Use After Free), CWE-476 (NULL Pointer Dereference)
## Affected Systems
- **Products:** Phoenix Contact CHARX SEC-3100 (AC Charging Controller)
- **Versions:** Firmware versions prior to the patches released following Pwn2Own Automotive 2024.
- **Configurations:** Systems with the `Controller Agent` service running and accessible via the ETH1 interface or the HomePlug Green PHY protocol.
## Vulnerability Description
Research into the CHARX SEC-3100 revealed two chained vulnerabilities within the C++ `Controller Agent` binary:
1. **HomePlug Green PHY Null Pointer Dereference (CVE-2024-26003):** An "off-by-one" error in the protocol parsing logic. The code reads a structure size from bytes 4 and 5 instead of 5 and 6. This causes the parser to process incorrect data, ultimately leading to a null pointer dereference and a process crash.
2. **C++ Destructor Use-After-Free (CVE-2024-26005):** A sophisticated flaw involving implicit C++ destruction order. When the `Controller Agent` shuts down, static objects are destroyed in a non-deterministic order. The `ControllerAgent` object's `std::list` (managing sessions) is freed before the `ClientConnectionManagerTcp`. When the manager then attempts to clean up active TCP connections, it calls back into the already-destructed `std::list` to invalidate sessions, resulting in a Use-After-Free.
## Exploitation
- **Status:** PoC developed and demonstrated at Pwn2Own Automotive 2024.
- **Complexity:** High (requires triggering a specific shutdown sequence and grooming memory).
- **Attack Vector:** Network (Adjacent/Network via ETH1/HomePlug Green PHY).
- **Note:** The Null Pointer Dereference is used as a "trigger" to force the process into the vulnerable exit state required for the UAF.
## Impact
- **Confidentiality:** High (Potential for Remote Code Execution)
- **Integrity:** High (Potential for Remote Code Execution)
- **Availability:** High (Service crash and device instability)
## Remediation
### Patches
- Users should update to the latest firmware versions provided by Phoenix Contact. Refer to the manufacturer’s security advisory portal for version-specific updates released post-January 2024.
### Workarounds
- Restrict access to the ETH1 interface to trusted devices only.
- Implement network-level filtering to block unauthorized UDP/TCP traffic to port 4444 if the daisy-chaining feature is not required.
## Detection
- **Indicators of Compromise:** Unexpected crashing/restarting of the `CharxControllerAgent` service.
- **Detection Methods:** Monitor for Malformed HomePlug Green PHY packets or repeated connection attempts followed by service termination on industrial network monitors.
## References
- **ZDI Advisory (UAF):** [https://www.zerodayinitiative.com/advisories/ZDI-24-861/](https://www.zerodayinitiative.com/advisories/ZDI-24-861/)
- **ZDI Advisory (Null Deref):** [https://www.zerodayinitiative.com/advisories/ZDI-24-860/](https://www.zerodayinitiative.com/advisories/ZDI-24-860/)
- **Original Research:** [https://blog.ret2.io/2024/07/17/pwn2own-auto-2024-charx-bugs/](https://blog.ret2.io/2024/07/17/pwn2own-auto-2024-charx-bugs/)
- **Vendor Site:** [https://www.phoenixcontact.com/](https://www.phoenixcontact.com/)