Circle with Disney check_circleservers Code Execution Vulnerability(CVE-2017-2882)

### Summary An exploitable vulnerability exists in the servers update functionality of Circle with Disney running firmware 2.0.1. Specially crafted network packets can cause the device to overwrite sensitive files, resulting in code execution. An attacker needs to impersonate a remote server in order to trigger this vulnerability. ### Tested Versions Circle with Disney 2.0.1 ### Product URLs https://meetcircle.com/ ### CVSSv3 Score 9.0 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H ### CWE CWE-73: External Control of File Name or Path ### Details Circle with Disney is a network device used to monitor internet use of children on a given network. A cronjob exists which executes the script "check_circleservers.sh" every 4 hours: ``` #!/bin/sh MAC=`cat /tmp/MAC`; VER=`cat /tmp/circleservers.ver` CIRCLE_ROOT=`cat /tmp/CIRCLE_ROOT` rm -f /tmp/circleservers.bin /tmp/circleserver.tgz /tmp/wget -q -t 1 -T 30 -O /tmp/circleservers.bin "http://download.meetcircle.co/dev/firmware/get_circleservers.php? DEVID=$MAC&VER=$VER" || exit if [ -s /tmp/circleservers.bin ]; then /tmp/aescrypt -d -p a801e2f7bd4104073a296dc5c63857cf -o /tmp/circleservers.tgz /tmp/circleservers.bin || exit [ -s /tmp/circleservers.tgz ] || exit cd /tmp/ tar zxf /tmp/circleservers.tgz if [ -s /tmp/circleservers ]; then $CIRCLE_ROOT/ipsetload circleservers /tmp/circleservers cp -f /tmp/circleservers $CIRCLE_ROOT/scripts/circleservers.list fi fi rm -f /tmp/circleservers.bin /tmp/circleservers.tgz ``` The script above downloads an encrypted tar archive using an HTTP request, which gets then decrypted and extracted in the "/tmp" directory. Since the encryption password is known and the http connection is not authenticated, an attacker able to impersonate the remote server could overwrite any file in the "/tmp" directory. Since the script itself executes "/tmp/aescrypt", one of the ways to exploit this bug is to overwrite "aescrypt" with a custom executable: this allows an attacker to execute arbitrary code on the next call of the script. ### Timeline * 2017-08-02 - Vendor Disclosure * 2017-10-31 - Public Release