Aqara Hub and Camera Hub NULL Pointer Dereference Vulnerability Leading to Denial-of-Service

A NULL-pointer dereference vulnerability has been identified in multiple Aqara Hub devices, including the Hub M2, Hub M3, and Camera Hub G3, all within specific firmware versions. This vulnerability arises in the JSON processing of the devices, where the application fails to properly validate pointers returned by a modified JsonCpp library before dereferencing them. As a result, attackers can exploit this flaw by sending malformed JSON inputs, causing segmentation faults and crashing the application. The issue is exacerbated by similar vulnerabilities in CoAP payload parsing, where missing or invalid data can also lead to NULL pointer dereferences.

Impact

Exploitation of this vulnerability causes a crash of the application, creating a denial-of-service condition. The vulnerability can be triggered remotely, without authentication, by sending malformed JSON or CoAP payloads that exploit the NULL pointer dereference flaw.

Reproduction

The vulnerability can be reproduced by sending a JSON message that omits expected fields, such as the 'name' field, which will cause the application to crash due to a NULL pointer dereference. Alternatively, the CoAP RX Discovery Handler can be exploited by sending a payload with an invalid port format, such as an IP address without a port number, which also leads to a crash when the parsing function attempts to process the NULL value.