Vulnerabilities > CVE-2017-2884 - Resource Exhaustion vulnerability in Meetcircle Circle With Disney Firmware 2.0.1

047910
CVSS 7.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
network
low complexity
meetcircle
CWE-400

Summary

An exploitable vulnerability exists in the user photo update functionality of Circle with Disney running firmware 2.0.1. A repeated set of specially crafted API calls can cause the device to corrupt essential memory, resulting in a bricked device. An attacker needs network connectivity to the device to trigger this vulnerability.

Vulnerable Configurations

Part Description Count
OS
Meetcircle
1
Hardware
Meetcircle
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • XML Ping of the Death
    An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
  • XML Entity Expansion
    An attacker submits an XML document to a target application where the XML document uses nested entity expansion to produce an excessively large output XML. XML allows the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.
  • Inducing Account Lockout
    An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks.
  • Violating Implicit Assumptions Regarding XML Content (aka XML Denial of Service (XDoS))
    XML Denial of Service (XDoS) can be applied to any technology that utilizes XML data. This is, of course, most distributed systems technology including Java, .Net, databases, and so on. XDoS is most closely associated with web services, SOAP, and Rest, because remote service requesters can post malicious XML payloads to the service provider designed to exhaust the service provider's memory, CPU, and/or disk space. The main weakness in XDoS is that the service provider generally must inspect, parse, and validate the XML messages to determine routing, workflow, security considerations, and so on. It is exactly these inspection, parsing, and validation routines that XDoS targets. There are three primary attack vectors that XDoS can navigate Target CPU through recursion: attacker creates a recursive payload and sends to service provider Target memory through jumbo payloads: service provider uses DOM to parse XML. DOM creates in memory representation of XML document, but when document is very large (for example, north of 1 Gb) service provider host may exhaust memory trying to build memory objects. XML Ping of death: attack service provider with numerous small files that clog the system. All of the above attacks exploit the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends.

Seebug

bulletinFamilyexploit
description### Summary An exploitable vulnerability exists in the user photo update functionality of Circle with Disney running firmware 2.0.1. A repeated set of specially crafted API calls can cause the device to corrupt essential memory, resulting in a bricked device. An attacker needs network connectivity to the device to trigger this vulnerability. ### Tested Versions Circle with Disney 2.0.1 ### Product URLs https://meetcircle.com/ ### CVSSv3 Score 7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ### CWE CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') ### Details The apid binary is a web server listening on the Disney Circle, that serves as the main API for user functionality. Through the apid server, all configurations and queries are made from the 'Circle Home' application for the administrator's phone. Naturally, the unimportant API calls are run without authentication, whilst the critical API calls require a specific token, one that is unique to each phone that has synced to the Circle with the administrator app. However there is one API call that behaves slightly different. The '/api/UPDATE/users/user/photo' API call requires authentication as expected, however there is an extra action taken by the server in preparation for the photo upload, which is passed via HTTP POST params. Since the server needs to parse the POST parameters regardless of the photo, it allocates a new buffer to deal with the rest of the POST parameters. An example follows: ``` POST /api/UPDATE/users/user/photo HTTP/1.1 Host: 192.168.1.1:4567 Connection: keep-alive Accept-Encoding: gzip, deflate Accept: */* User-Agent: python-requests/2.17.3 Content-Length: 92 Content-Type: application/x-www-form-urlencoded a=1%3C%28%5E_%5E%29%3E&photo%3Dboop%2612&test=12345678 ``` For the above example, it finds the first occurrence of 'photo=' (photo%3D) and then the first occurrence of “&” after that. Every character outside of those boundaries count towards the new allocation. ``` .text:00415144 la $a1, aApiUpdateUsers # "/api/UPDATE/users/user/photo" .text:00415148 jal strcmp .text:0041514C sb $zero, byte_499B98 .text:00415150 bnez $v0, loc_4154A8 .text:00415154 lui $s6, 0x43 .text:00415158 lw $v1, 0x21B0+arg_10($sp) .text:0041515C nop .text:00415160 beqz $v1, loc_4154A8 .text:00415164 lui $a1, 0x43 .text:00415168 move $a0, $v1 # haystack .text:0041516C jal strstr .text:00415170 la $a1, aPhoto # "photo=" .text:00415174 beqz $v0, loc_4154A4 .text:00415178 move $s6, $v0 .text:0041517C move $a0, $v0 # s .text:00415180 jal strchr .text:00415184 li $a1, 0x26 # c .text:00415188 lw $v1, 0x21B0+arg_10($sp) .text:0041518C move $s7, $v0 .text:00415190 beqz $v0, loc_415AA4 .text:00415194 subu $fp, $s6, $v1 .text:00415198 sb $zero, 0($v0) .text:0041519C jal strlen .text:004151A0 addiu $a0, $v0, 1 # s .text:004151A4 sw $v0, 0x21B0+var_30($sp) .text:004151A8 .text:004151A8 loc_4151A8: # CODE XREF: api_parse:loc_415AA4#j .text:004151A8 lw $v1, 0x21B0+var_30($sp) .text:004151AC nop .text:004151B0 addu $a0, $fp, $v1 .text:004151B4 jal malloc .text:004151B8 addiu $a0, 1 # size ``` Thus, if an attacker sends POST parameters with an extremely large number of characters, the behavior of the Circle starts to get unreliable. As much as a descriptive and detailed explanation would be satisfying, it can only suffice to say that the device gets bricked, somewhat. The LED will start blinking, and then device will reboot. The only ways back in are through ethernet (10.123.234.1 or IPV6), if you happen to have credentials, or through the console port. Regardless the Circle will be missing its /dev/sda flash drive, effectively rendering the device into a bare bones MIPS board with around 40 MB of space. ### Timeline * 2017-08-02- Vendor Disclosure * 2017-10-31 - Public Release
idSSV:96822
last seen2017-11-19
modified2017-11-09
published2017-11-09
reporterRoot
titleCircle with Disney Apid Photo Upload Denial of Service Vulnerability(CVE-2017-2884)

Talos

idTALOS-2017-0391
last seen2019-05-29
published2017-10-31
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0391
titleCircle with Disney Apid Photo Upload Denial of Service Vulnerability