An exploitable vulnerability exists in the generation of authentication token functionality of Circle with Disney. Specially crafted network packets can cause a valid authentication token to be returned to the attacker resulting in authentication bypass. An attacker can send a series of packets to trigger this vulnerability.
Circle with Disney
9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-639 - Authorization Bypass Through User-Controlled Key
Circle with Disney is a network device used to monitor internet use of children on a given network.
When making any requests to the Circle, an authenticated token must be provided. To request a token, a client specifies an appid
, a unique string used to identify the client, as well as a hash
, a SHA1
hash to verify the client should have access to the device. One secret piece of information is a 4 digit pin. The hash
is calculated by the following:
hash = SHA1(appid + pin)
The client provides both the appid
and hash
. Because the key space for the pin
is only 10000
, an attacker can easily brute force this pin to retrieve an authentication token. With the authentication token in hand, an attacker can make available API calls.
Discovered by Cory Duplantis, Yves Younan, Marcin ‘Icewall’ Noga, Claudio Bozzato, Lilith Wyatt <(^_^)>, Aleksandar Nikolic, and Richard Johnson of Cisco Talos.