Circle with Disney Restore API Command Injection Vulnerability(CVE-2017-2890)

### Summary An exploitable vulnerability exists in the /api/CONFIG/restore functionality of Circle with Disney running firmware 2.0.1. Specially crafted network packets can cause an OS command injection. An attacker can send an HTTP request trigger this vulnerability. ### Tested Versions Circle with Disney 2.0.1 ### Product URLs https://meetcircle.com/ ### CVSSv3 Score 9.9 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H ### CWE CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') ### Details The vulnerable code exists in the restore api handler of the "apid" deamon ("/api/CONFIG/restore"), function `sub_417528`: ``` .text:004176A4 loc_4176A4: .text:004176A4 lw $v0, (dword_44CB3C - 0x450000)($v0) .text:004176A8 nop .text:004176AC beqz $v0, loc_4177A8 .text:004176B0 li $v0, 1 .text:004176B4 beq $s4, $v0, loc_417860 .text:004176B8 lui $a0, 0x43 .text:004176BC jal strlen .text:004176C0 addiu $a0, $s6, (byte_44CC40 - 0x450000) .text:004176C4 sltiu $v0, 0x14 .text:004176C8 bnez $v0, loc_4177A8 .text:004176CC lui $v0, 0x45 .text:004176D0 la $v0, byte_44CC40 # appid .text:004176D4 sw $v0, 0x200+var_1F0($sp) .text:004176D8 lui $a2, 0x43 .text:004176DC li $v0, 0x42 .text:004176E0 lui $a3, 0x43 .text:004176E4 addiu $a0, $sp, 0x200+var_148 .text:004176E8 li $a1, 0x80 .text:004176EC la $a2, aSrestore_backu # "%srestore_backup.sh /tmp/postfile.bin %s %d" .text:004176F0 la $a3, aMntSharesUs_19 # "/mnt/shares/usr/bin/scripts/" .text:004176F4 jal snprintf .text:004176F8 sw $v0, 0x200+var_1EC($sp) .text:004176FC jal system .text:00417700 addiu $a0, $sp, 0x200+var_148 ``` Looking at the pseudocode of the whole function, we see the following: ``` if (memcmp(request_url, "/api/CONFIG/restore", 18) == 0) if (stat("/mnt/shares/usr/bin/app_list") == 0) if (auth_token[0] != 0 && check_token(auth_token)) if (strlen(appid) > 20) { snprintf(cmd, 128, "%srestore_backup.sh /tmp/postfile.bin %s %d", "/mnt/shares/usr/bin/scripts/", appid, 66); system(cmd); } ``` As we can see the `appid` parameter, coming from the user as a multipart parameter, is passed direcly to `system` call without any sanitization leading in that way to command injection. This API is accessible for authenticated users. ### Timeline * 2017-08-29 - Vendor Disclosure * 2017-10-31 - Public Release