CVE-2023-33383

An attacker within BLE range connects to the device and writes an arbitrary length value to handle 0x000d, then writes a payload larger than expected to handle 0x0008. This causes an out-of-bounds read fault that forces a device reset [ref_id=1]. The fault can be chained with the device's scripting feature to toggle on-board relays, even when authentication is enabled [ref_id=1]. No authentication is required to trigger the fault [ref_id=1].

The vulnerability resides in the BLE GATT service of the Shelly 4PM Pro firmware 0.11.0. The write to BLE handle 0x000d sets an arbitrary length field, and a subsequent write to read/write handle 0x0008 with a larger payload than expected triggers the out-of-bounds read fault [ref_id=1].

As of the public disclosure date (2 August 2023), no patch had been released by the vendor [ref_id=1]. The advisory recommends that the vendor validate the length of data written to BLE handle 0x0008 against the expected RPC JSON data length to prevent the out-of-bounds read [ref_id=1].

The public PoC uses the `gatttool` utility. First, connect to the device (example MAC `c8:f0:9e:88:92:3e`). Write `00000001` to handle `0x000d` to set an arbitrary length. Then write `ab` to handle `0x0008`, followed by `abcd` to handle `0x0008`. The device will reset after a few seconds [ref_id=1].