Vulnerabilities > CVE-2017-2881 - Unspecified vulnerability in Meetcircle Circle With Disney Firmware 2.0.1
Attack vector
ADJACENT_NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL low complexity
meetcircle
Summary
An exploitable vulnerability exists in the torlist update functionality of Circle with Disney running firmware 2.0.1. Specially crafted network packets can cause the product to run an attacker-supplied shell script. An attacker can intercept and alter network traffic to trigger this vulnerability.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 1 | |
| Hardware | 1 |
Seebug
| bulletinFamily | exploit |
| description | ### Summary An exploitable vulnerability exists in the torlist update functionality of Circle with Disney running firmware 2.0.1. Specially crafted network packets can cause the product to run an attacker-supplied shell script. An attacker can intercept and alter network traffic to trigger this vulnerability. ### Tested Versions Circle with Disney 2.0.1 ### Product URLs https://meetcircle.com/ ### CVSSv3 Score 9.6 - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H ### CWE CWE-73: External Control of File Name or Path ### Details Circle with Disney is a network device used to monitor and restrict internet use of children on a given network. When connected to a given network and configured, it immediately begins arp poisoning all other devices on the network, such that it can validate and restrict all traffic as is seen fit by the parent/administrator of the device. Periodically, the device will query outbound towards the meetcircle.co domain, attempting to grab the latest list of known Tor addresses as a gunzipped tarball, shown below in the following snippet: ``` #!/bin/sh MAC=`cat /tmp/MAC`; TORVER=`cat /tmp/torlist.ver` CIRCLE_ROOT=`cat /tmp/CIRCLE_ROOT` rm -f /tmp/torlist.new.tgz /tmp/wget -t 1 -T 30 -q -O /tmp/torlist.new.tgz "http://download.meetcircle.co/dev/firmware/get_torlist.php? DEVID=$MAC&VER=$TORVER" || exit if [ -s /tmp/torlist.new.tgz ]; then #sanity check tgz file size. size in kbytes gzsize=`du /tmp/torlist.new.tgz | cut -f 1` minsize=5 if [ $gzsize -gt $minsize ]; then cd /tmp tar zxf /tmp/torlist.new.tgz if [ -s /tmp/torlist ]; then $CIRCLE_ROOT/ipsetload torlist /tmp/torlist fi fi fi rm -f /tmp/torlist.new.tgz ``` Unfortunately, since this wget request is not using HTTPS, it becomes trivial for an attacker to supply their own tarball, which would be extracted, allowing an attacker to overwrite any file in the "/tmp" directory. A sample exploit would be to zip up a script named 'wget', such that it would executed in subsequents run of this check_torlist.sh script, (which is scheduled via a cronjob). ### Timeline * 2017-08-02- Vendor Disclosure * 2018-10-31 - Public Release |
| id | SSV:96820 |
| last seen | 2017-11-19 |
| modified | 2017-11-08 |
| published | 2017-11-08 |
| reporter | Root |
| title | Circle with Disney check_torlist.sh Update Code Execution Vulnerability(CVE-2017-2881) |
Talos
| id | TALOS-2017-0388 |
| last seen | 2019-05-29 |
| published | 2017-10-31 |
| reporter | Talos Intelligence |
| source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0388 |
| title | Circle with Disney check_torlist.sh Update Code Execution Vulnerability |