Lucene search

Talos IntelligenceTALOS-2017-0388

HistoryOct 31, 2017 - 12:00 a.m.

Circle with Disney check_torlist.sh Update Code Execution Vulnerability

2017-10-3100:00:00

Talos Intelligence

www.talosintelligence.com

CVSS2

5.8

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:A/AC:L/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

40.7%

JSON

Summary

An exploitable vulnerability exists in the torlist update functionality of Circle with Disney running firmware 2.0.1. Specially crafted network packets can cause the product to run an attacker-supplied shell script. An attacker can intercept and alter network traffic to trigger this vulnerability.

Tested Versions

Circle with Disney 2.0.1

Product URLs

<https://meetcircle.com/>

CVSSv3 Score

9.6 - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-73: External Control of File Name or Path

Details

Circle with Disney is a network device used to monitor and restrict internet use of children on a given network. When connected to a given network and configured, it immediately begins arp poisoning all other devices on the network, such that it can validate and restrict all traffic as is seen fit by the parent/administrator of the device.

Periodically, the device will query outbound towards the meetcircle.co domain, attempting to grab the latest list of known Tor addresses as a gunzipped tarball, shown below in the following snippet:

#!/bin/sh
MAC=`cat /tmp/MAC`;
TORVER=`cat /tmp/torlist.ver`
CIRCLE_ROOT=`cat /tmp/CIRCLE_ROOT`
rm -f /tmp/torlist.new.tgz
/tmp/wget -t 1 -T 30 -q -O /tmp/torlist.new.tgz "http://download.meetcircle.co/dev/firmware/get_torlist.php?      DEVID=$MAC&VER=$TORVER" || exit
if [ -s /tmp/torlist.new.tgz ]; then
    #sanity check tgz file size. size in kbytes
    gzsize=`du /tmp/torlist.new.tgz | cut -f 1`
    minsize=5
    if [ $gzsize -gt $minsize ]; then
        cd /tmp
        tar zxf /tmp/torlist.new.tgz
        if [ -s /tmp/torlist ]; then
            $CIRCLE_ROOT/ipsetload torlist /tmp/torlist
        fi
    fi
fi
rm -f /tmp/torlist.new.tgz

Unfortunately, since this wget request is not using HTTPS, it becomes trivial for an attacker to supply their own tarball, which would be extracted, allowing an attacker to overwrite any file in the “/tmp” directory. A sample exploit would be to zip up a script named ‘wget’, such that it would executed in subsequents run of this check_torlist.sh script, (which is scheduled via a cronjob).

Timeline

2017-08-02- Vendor Disclosure
2018-10-31 - Public Release

CVSS2

5.8

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:A/AC:L/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

40.7%

JSON

Related for TALOS-2017-0388