CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
68.5%
An exploitable vulnerability exists in the /api/CONFIG/backup functionality of Circle with Disney. Specially crafted network packets can cause an OS command injection. An attacker can send an HTTP request trigger this vulnerability.
Circle with Disney
9.9 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-77: Improper Neutralization of Special Elements used in a Command (โCommand Injectionโ)
Vulnerable code exists in the backup api handler of the apid deamon (โ/api/CONFIG/backupโ).
vulnerable code listing
.text:00415E10 loc_415E10:
.text:00415E10 lui $s0, 0x43
.text:00415E14 jal unlink
.text:00415E18 addiu $a0, $s0, (aMntSharesUs_15 - 0x430000) # "/mnt/shares/usr/bin/backup.bin"
.text:00415E1C la $s0, aMntSharesUs_15 # "/mnt/shares/usr/bin/backup.bin"
.text:00415E20 lui $a2, 0x43
.text:00415E24 lui $a3, 0x43
.text:00415E28 li $a1, 0x80 # maxlen
.text:00415E2C la $a2, aScreate_backup # "%screate_backup.sh %s %s"
.text:00415E30 la $a3, aMntSharesUs_16 # "/mnt/shares/usr/bin/scripts/"
.text:00415E34 addiu $a0, $sp, 0x21B0+var_F8 # s
.text:00415E38 sw $s0, 0x21B0+var_21A0($sp)
.text:00415E3C jal snprintf
.text:00415E40 sw $s2, 0x21B0+var_219C($sp)
.text:00415E44 jal system
Looking at the pseudocode of the above, we see the following:
Line 1 if (strncmp((char *)request_url, "/api/CONFIG/", 12) == 0) {
Line 2 if (strcmp((char *)(request_url + 12), "backup") == 0) {
Line 3 appid_value = get_param_from_url("appid", 1);
Line 4 if (appid_value != 0 && strlen((char *)appid_value) >= 20) {
Line 5 unlink("/mnt/shares/usr/bin/backup.bin");
Line 6 snprintf((char *)&cmd, 128, "%screate_backup.sh %s %s", "/mnt/shares/usr/bin/scripts/",
"/mnt/shares/usr/bin/backup.bin", (char
*)appid_value);
Line 7 system((char *)&cmd);
As we can see appid
parameter coming from user as GET parameter is passed direcly to system
call without any sanitization leading in that way to command injection. This API is accessible for authenticated users. But taking into account the weak authentication vulnerability (TALOS-2017-0370/CVE-2017-2864) anyone can use this API.
An example of a url that contains the command injection can look like this: https://CIRCLE_IP:4567/api/CONFIG/backup?token=8CE2DAF0F3C9-iNvDFypBs0RXv2jy- 20170621.085252&api=1.0&appid=AAAAAAAAAAAAAAAAAAAA;ls>/tmp/file_listing.txt Notes: For proper commands/params separation, a malicious user needs to use tabs instead of spaces.
2017-07-13 - Vendor Disclosure
2017-10-31 - Public Release
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
68.5%