Headline
CVE-2017-2866: TALOS-2017-0372 || Cisco Talos Intelligence Group
An exploitable vulnerability exists in the /api/CONFIG/backup functionality of Circle with Disney. Specially crafted network packets can cause an OS command injection. An attacker can send an HTTP request to trigger this vulnerability.
Summary
An exploitable vulnerability exists in the /api/CONFIG/backup functionality of Circle with Disney. Specially crafted network packets can cause an OS command injection. An attacker can send an HTTP request trigger this vulnerability.
Tested Versions
Circle with Disney
Product URLs
https://meetcircle.com/
CVSSv3 Score
9.9 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE
CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
Details
Vulnerable code exists in the backup api handler of the apid deamon (“/api/CONFIG/backup”).
vulnerable code listing
.text:00415E10 loc_415E10:
.text:00415E10 lui $s0, 0x43
.text:00415E14 jal unlink
.text:00415E18 addiu $a0, $s0, (aMntSharesUs_15 - 0x430000) # "/mnt/shares/usr/bin/backup.bin"
.text:00415E1C la $s0, aMntSharesUs_15 # "/mnt/shares/usr/bin/backup.bin"
.text:00415E20 lui $a2, 0x43
.text:00415E24 lui $a3, 0x43
.text:00415E28 li $a1, 0x80 # maxlen
.text:00415E2C la $a2, aScreate_backup # "%screate_backup.sh %s %s"
.text:00415E30 la $a3, aMntSharesUs_16 # "/mnt/shares/usr/bin/scripts/"
.text:00415E34 addiu $a0, $sp, 0x21B0+var_F8 # s
.text:00415E38 sw $s0, 0x21B0+var_21A0($sp)
.text:00415E3C jal snprintf
.text:00415E40 sw $s2, 0x21B0+var_219C($sp)
.text:00415E44 jal system
Looking at the pseudocode of the above, we see the following:
Line 1 if (strncmp((char *)request_url, "/api/CONFIG/", 12) == 0) {
Line 2 if (strcmp((char *)(request_url + 12), "backup") == 0) {
Line 3 appid_value = get_param_from_url("appid", 1);
Line 4 if (appid_value != 0 && strlen((char *)appid_value) >= 20) {
Line 5 unlink("/mnt/shares/usr/bin/backup.bin");
Line 6 snprintf((char *)&cmd, 128, "%screate_backup.sh %s %s", "/mnt/shares/usr/bin/scripts/",
"/mnt/shares/usr/bin/backup.bin", (char
*)appid_value);
Line 7 system((char *)&cmd);
As we can see appid parameter coming from user as GET parameter is passed direcly to system call without any sanitization leading in that way to command injection. This API is accessible for authenticated users. But taking into account the weak authentication vulnerability (TALOS-2017-0370/CVE-2017-2864) anyone can use this API.
An example of a url that contains the command injection can look like this: https://CIRCLE_IP:4567/api/CONFIG/backup?token=8CE2DAF0F3C9-iNvDFypBs0RXv2jy- 20170621.085252&api=1.0&appid=AAAAAAAAAAAAAAAAAAAA;ls>/tmp/file_listing.txt Notes: For proper commands/params separation, a malicious user needs to use tabs instead of spaces.
Timeline
2017-07-13 - Vendor Disclosure
2017-10-31 - Public Release
Discovered by Marcin ‘Icewall’ Noga, Cory Duplantis, Yves Younan, Claudio Bozzato, Lilith Wyatt <(^_^)>, Aleksandar Nikolic, and Richard Johnson Cisco Talos.
Related news
An exploitable vulnerability exists in the generation of authentication token functionality of Circle with Disney. Specially crafted network packets can cause a valid authentication token to be returned to the attacker resulting in authentication bypass. An attacker can send a series of packets to trigger this vulnerability.