Circle with Disney Backup API Command Injection Vulnerability

Summary

An exploitable vulnerability exists in the /api/CONFIG/backup functionality of Circle with Disney. Specially crafted network packets can cause an OS command injection. An attacker can send an HTTP request trigger this vulnerability.

Tested Versions

Circle with Disney

Product URLs

<https://meetcircle.com/&gt;

CVSSv3 Score

9.9 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)

Details

Vulnerable code exists in the backup api handler of the apid deamon (“/api/CONFIG/backup”).

vulnerable code listing
.text:00415E10 loc_415E10:                              
.text:00415E10                 lui     $s0, 0x43
.text:00415E14                 jal     unlink
.text:00415E18                 addiu   $a0, $s0, (aMntSharesUs_15 - 0x430000)  # "/mnt/shares/usr/bin/backup.bin"
.text:00415E1C                 la      $s0, aMntSharesUs_15  # "/mnt/shares/usr/bin/backup.bin"
.text:00415E20                 lui     $a2, 0x43
.text:00415E24                 lui     $a3, 0x43
.text:00415E28                 li      $a1, 0x80        # maxlen
.text:00415E2C                 la      $a2, aScreate_backup  # "%screate_backup.sh %s %s"
.text:00415E30                 la      $a3, aMntSharesUs_16  # "/mnt/shares/usr/bin/scripts/"
.text:00415E34                 addiu   $a0, $sp, 0x21B0+var_F8  # s
.text:00415E38                 sw      $s0, 0x21B0+var_21A0($sp)
.text:00415E3C                 jal     snprintf
.text:00415E40                 sw      $s2, 0x21B0+var_219C($sp)
.text:00415E44                 jal     system

Looking at the pseudocode of the above, we see the following:

Line 1	if (strncmp((char *)request_url, "/api/CONFIG/", 12) == 0) {
Line 2		if (strcmp((char *)(request_url + 12), "backup") == 0) {
Line 3			appid_value = get_param_from_url("appid", 1);
Line 4			if (appid_value != 0 && strlen((char *)appid_value) >= 20) {
Line 5					unlink("/mnt/shares/usr/bin/backup.bin");
Line 6					snprintf((char *)&cmd, 128, "%screate_backup.sh %s %s", "/mnt/shares/usr/bin/scripts/",    
"/mnt/shares/usr/bin/backup.bin", (char   
*)appid_value);
Line 7					system((char *)&cmd);

As we can see appid parameter coming from user as GET parameter is passed direcly to system call without any sanitization leading in that way to command injection. This API is accessible for authenticated users. But taking into account the weak authentication vulnerability (TALOS-2017-0370/CVE-2017-2864) anyone can use this API.

An example of a url that contains the command injection can look like this: https://CIRCLE_IP:4567/api/CONFIG/backup?token=8CE2DAF0F3C9-iNvDFypBs0RXv2jy- 20170621.085252&api=1.0&appid=AAAAAAAAAAAAAAAAAAAA;ls>/tmp/file_listing.txt Notes: For proper commands/params separation, a malicious user needs to use tabs instead of spaces.

Timeline

2017-07-13 - Vendor Disclosure
2017-10-31 - Public Release