This blog highlights two vulnerabilities that were disclosed by researchers from Synacktiv in the Autel Maxicharger firmware at the Pwn2Own Automotive 2024 event and how Autel responded to and patched these in their latest firmware release.At the Pwn2Own event,  the Synacktiv researchers demonstrated two unique remote attacks on the Autel Maxicharger running firmware v1.32 that demonstrated RCE.  Autel was later informed of these issues and they responded with firmware update v1.35 before ZDI publicly disclosed the research to the public. The first vulnerability we discuss in this blog was addressed in ZDI-24-851, while the second is covered by ZDI-24-852. In this blog, we describe the reverse engineering process used to find the vulnerabilities in the original firmware and how ZDI observed the corrected code in the new firmware. The first vulnerability disclosed was an issue with a Bluetooth function that handles charging control. The researchers were able to send malicious code within a Bluetooth Low Energy (BLE) message and insert it into the target’s memory to take control of this code. This is because the v1.32 firmware did not limit the client message length it stores in memory. The researchers could add the malicious code in their message to the Autel charger, overflow the receive buffer that was allocated, and ultimately take control of the device. We extracted both the v1.32 and v1.35 firmware versions from the Autel charger and reversed both binaries using Ghidra. Utilizing Ghidra’s versioning feature, a comparison of the two firmware versions was done using the AppChargingControl function. As shown in the screenshot below, the left panel (v1.32) simply copies a client message of any length directly to memory. On the right panel (v1.35), a length check was added by Autel to limit the client message length to the length of the memory buffer ( 0x3D bytes).