Circle with Disney Apid Strstr Authentication Bypass Vulnerability(CVE-2017-2914)

Circle with Disney Apid Strstr Authentication Bypass Vulnerability(CVE-2017-2914) An exploitable authentication bypass vulnerability exists in the API daemon of Circle with Disney running firmware 2.0.1. Specially crafted token can bypass the authentication routine of the Apid binary, causing the device to grant unintended administrative access. The apid binary is a web server listening on the Disney Circle, serving as the main API for user functionality. The token is always 0x2d characters long and consists of three subsections. When the APID server goes to check a provided token, it makes sure that the token is of length 0x2d. If not, we get an error, but otherwise it goes through the following code. Opening the “/mnt/shares/usr/bin/app_list” file and then storing the file descriptor in $s1. After this it starts reading, line-by-line. And then tries to match each line against the provided token. The applist file actually contains a lot more than just a list of token entries, so, due to how strstr works, as long as we can match any length 0x2d substring within a given line, the bypass occurs. The appid is a SHA-1 hash generated by the admin's phone, and is saved upon initial syncing of the phone, when the admin needs to use the token api call (/api/TOKEN)