Talos Vulnerability Report

TALOS-2017-0420

Circle with Disney libbluecoat.so SSL TLD MITM Vulnerability

October 31, 2017
CVE Number

CVE-2017-2913

Summary

An exploitable vulnerability exists in filtering functionality of Circle with Disney. SSL certificates for specific domain names can cause the Bluecoat library to accept a different certificate than intended. An attacker can host an HTTPS server with this certificate to trigger this vulnerability.

Tested Versions

Circle with Disney 2.0.1

Product URLs

https://meetcircle.com/

CVSSv3 Score

8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-300: Channel Accessible by Non-Endpoint (‘Man-in-the-Middle’)

Details

Circle with Disney is a network device used to monitor and restrict internet use of children on a given network. When connected to a given network and configured, it immediately begins arp poisoning all filtered devices on the network, such that it can validate and restrict all traffic as is seen fit by the parent/administrator of the device.

Libbluecoat.so is a shared library linked into the timetracker and filterd binaries within the Disney Circle, and is the communications mechanism through which the Disney Circle can talk to the Blue Coat Systems API. If the Circle doesn’t know what to do with a given DNS name or IP address that has been requested by a filtered device, it will ask the Blue Coat infrastructure, and take the appropriate action as determined by Blue Coat. Whenever a new destination address is seen, and it is not found within the local ‘bluecache’ (a custom hash table cache stored on the device) libbluecoat will query outbound to find the designated action, and then cache the result. The timetracker and filterd services act on different network activities, however the end result is the same. In total, they end up covering TCP, UDP, and the IP protocols used for VPNs, ESP and GRE. It’s also worth noting that there are more product specific codeflows, such as one for the Google Mobilizer Proxy.

In more detail, both binaries call the same library function, bluecoat_query, which leads to the main control flow, inside of the do_bluecoat_query function. This function sets up an SSL connection to sp.cwfservice.net, a Blue Coat Systems controlled domain, and then does a rather simple request.

 aGet2RSCmiCircl:.ascii "GET /2/R/%s/CMI-CIRCLE01/0/GET/dns/%s/80/ HTTP/1.1\r\n"
.rodata:000048D8 .ascii "User-Agent: Circle \r\n"
.rodata:000048D8 .ascii "Host: http://sp.cwfservice.net\r\n"
.rodata:000048D8 .ascii "\r\n"<0>

Where by the first ‘%s’ is the unique mac address of the Circle making the request, and the second ‘%s’ is the DNS name in question, which could potentially be some sensitive information.

Regardless, backing up a little bit, there is some SSL validation that occurs before this information is ever transmitted.

do_bluecoat_query+228                  la      $t9, X509_get_subject_name 
do_bluecoat_query+22C                  move    $a0, $v0
do_bluecoat_query+230                  jalr    $t9 ; X509_get_subject_name [1]
do_bluecoat_query+234                  sb      $zero, 0x618+X509_oneline_dst_buff($sp)
do_bluecoat_query+238                  lw      $gp, 0x618+var_600($sp)
do_bluecoat_query+23C                  addiu   $s0, $sp, 0x618+X509_oneline_dst_buff
do_bluecoat_query+240                  la      $t9, X509_NAME_oneline
do_bluecoat_query+244                  move    $a1, $s0
do_bluecoat_query+248                  move    $a0, $v0
do_bluecoat_query+24C                  jalr    $t9 ; X509_NAME_oneline [3]
do_bluecoat_query+250                  li      $a2, 0x400 
do_bluecoat_query+254                  lw      $gp, 0x618+var_600($sp)

As shown at [1] libbluecoat.so gets the X509 subject name of the certificate, and then at [2], uses this to call X509_NAME_oneline, which grabs a lot of the information from the certificate attributes, joins it all into one line, and then stores it into a buffer on the stack [3] of max size 0x400. An example return string might be:

`/C=US/ST=Sad/L=boop/O=<(^_^)>/CN=boopdoop.net`

While the interesting behavior of the X509_NAME_oneline can lead to some other vulnerabilites, like including the string ‘CN=*.sp.cwfservice.net” inside of another attribute ( For a great writeup of this: [https://langui.sh/2016/01/29/x509-name-oneline/])(https://langui.sh/2016/01/29/x509-name-oneline/) ) , however, due to reasons mentioned a little further down, the binary was not vulnerable to this, as we could not get a certificate signed by the specific CA to be formed as such.

However, due to how they actually check the Common Name attribute of the SSL cert, the binary was left vulnerable to another attack vector:

do_bluecoat_query+23C                  addiu   $s0, $sp, 0x618+X509_oneline_dst_buff
[...]
do_bluecoat_query+258                  move    $a0, $s0         # haystack [1]
do_bluecoat_query+25C                  li      $a1, 0
do_bluecoat_query+260                  la      $t9, strstr
do_bluecoat_query+264                  nop
do_bluecoat_query+268                  jalr    $t9 ; strstr [3]
do_bluecoat_query+26C                  addiu   $a1, aCnSp_cwfservic  # "CN=sp.cwfservice.net" [2]
do_bluecoat_query+270                  lw      $gp, 0x618+var_600($sp)
do_bluecoat_query+274                  beqz    $v0, loc_2B88
do_bluecoat_query+278                  nop
do_bluecoat_query+27C                  li      $fp, 0x10000
do_bluecoat_query+280                  nop
do_bluecoat_query+284                  lw      $v0, (x509_store_initialized_15360 - 0x10000)($fp)
do_bluecoat_query+288                  nop
do_bluecoat_query+28C                  beqz    $v0, loc_28A0
do_bluecoat_query+290                  nop
do_bluecoat_query+294                  li      $v1, 0x10000
do_bluecoat_query+298                  nop                      # Cert already inited
do_bluecoat_query+29C                  sw      $v1, 0x618+var_30($sp)
do_bluecoat_query+2A0

Picking up from where we left off, we continue from immediately after the X509_NAME_oneline() function call [1], with the X509_NAME_online string stored in $s0. This string is compared is compared against “CN=sp.cwfservice.net” [2], with the strstr() function [3], which returns a pointer to the first match of register $a1 in $a0 (and NULL otherwise).

Since this is the only check upon the Common Name attribute, it becomes possible to bypass this check by buying the following domain: cwfservice.network.

The return value from X509_oneline_name will look as such:

"/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=sp.cwfservice.network”

And then the resulting call to strstr will return CN=sp.cwfservice.network.

It should be cautioned that certificate presented by the MITM server needs to have its trust chain signed by the Entrust CA. The binary has a CA DER-encoded cert chain located inside that is read into memory and then utilized to validate the outbound SSL connection.

Timeline

2017-08-29 - Vendor Disclosure
2017-10-31 - Public Release

Credit

Discovered by Lilith Wyatt and Claudio Bozzato of Cisco Talos.