Circle with Disney Backup API Command Injection Vulnerability(CVE-2017-2866)

### Summary An exploitable vulnerability exists in the /api/CONFIG/backup functionality of Circle with Disney. Specially crafted network packets can cause an OS command injection. An attacker can send an HTTP request trigger this vulnerability. ### Tested Versions Circle with Disney ### Product URLs https://meetcircle.com/ ### CVSSv3 Score 9.9 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H ### CWE CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') ### Details Vulnerable code exists in the backup api handler of the apid deamon ("/api/CONFIG/backup"). ``` vulnerable code listing .text:00415E10 loc_415E10: .text:00415E10 lui $s0, 0x43 .text:00415E14 jal unlink .text:00415E18 addiu $a0, $s0, (aMntSharesUs_15 - 0x430000) # "/mnt/shares/usr/bin/backup.bin" .text:00415E1C la $s0, aMntSharesUs_15 # "/mnt/shares/usr/bin/backup.bin" .text:00415E20 lui $a2, 0x43 .text:00415E24 lui $a3, 0x43 .text:00415E28 li $a1, 0x80 # maxlen .text:00415E2C la $a2, aScreate_backup # "%screate_backup.sh %s %s" .text:00415E30 la $a3, aMntSharesUs_16 # "/mnt/shares/usr/bin/scripts/" .text:00415E34 addiu $a0, $sp, 0x21B0+var_F8 # s .text:00415E38 sw $s0, 0x21B0+var_21A0($sp) .text:00415E3C jal snprintf .text:00415E40 sw $s2, 0x21B0+var_219C($sp) .text:00415E44 jal system ``` Looking at the pseudocode of the above, we see the following: ``` Line 1 if (strncmp((char *)request_url, "/api/CONFIG/", 12) == 0) { Line 2 if (strcmp((char *)(request_url + 12), "backup") == 0) { Line 3 appid_value = get_param_from_url("appid", 1); Line 4 if (appid_value != 0 && strlen((char *)appid_value) >= 20) { Line 5 unlink("/mnt/shares/usr/bin/backup.bin"); Line 6 snprintf((char *)&cmd, 128, "%screate_backup.sh %s %s", "/mnt/shares/usr/bin/scripts/", "/mnt/shares/usr/bin/backup.bin", (char *)appid_value); Line 7 system((char *)&cmd); ``` As we can see `appid` parameter coming from user as GET parameter is passed direcly to `system` call without any sanitization leading in that way to command injection. This API is accessible for authenticated users. But taking into account the weak authentication vulnerability (TALOS-2017-0370/CVE-2017-2864) anyone can use this API. An example of a url that contains the command injection can look like this: ``` https://CIRCLE_IP:4567/api/CONFIG/backup?token=8CE2DAF0F3C9-iNvDFypBs0RXv2jy- 20170621.085252&api=1.0&appid=AAAAAAAAAAAAAAAAAAAA;ls>/tmp/file_listing.txt Notes: For proper commands/params separation, a malicious user needs to use tabs instead of spaces. ``` ### Timeline * 2017-07-13 - Vendor Disclosure * 2017-10-31 - Public Release ### CREDIT Discovered by Marcin 'Icewall' Noga, Cory Duplantis, Yves Younan, Claudio Bozzato, Lilith Wyatt <(^_^)>, Aleksandar Nikolic, and Richard Johnson Cisco Talos.