Vulnerabilities > CVE-2017-2898 - Race Condition vulnerability in Meetcircle Circle With Disney Firmware 2.0.1
Attack vector
NETWORK Attack complexity
HIGH Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
An exploitable vulnerability exists in the signature verification of the firmware update functionality of Circle with Disney. Specially crafted network packets can cause an unsigned firmware to be installed in the device resulting in arbitrary code execution. An attacker can send a series of packets to trigger this vulnerability.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 1 | |
| Hardware | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Seebug
| bulletinFamily | exploit |
| description | ### Summary An exploitable vulnerability exists in the signature verification of the firmware update functionality of Circle with Disney. Specially crafted network packets can cause an unsigned firmware to be installed in the device resulting in arbitrary code execution. An attacker can send a series of packets to trigger this vulnerability. ### Tested Versions Circle with Disney 2.0.1 ### Product URLs https://meetcircle.com/ CVSSv3 Score 9.9 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H ### CWE CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition ### Details Circle with Disney is a network device used to monitor internet use of children on a given network. Circle provides an API command to update its firmware, which is usually used by the "Circle Home App" installed on the device administrator's phone. The API command is "/api/UPLOAD_FIRMWARE" and is handled by the `apid` binary in function `sub_417528`. At high level, the function works as follow: ``` if "/api/UPLOAD_FIRMWARE" in url_string if substr(source_ip, 10) != "10.123.234" return "Bad source address in multipart post" save_postfilebin() if check_token() if system("/mnt/shares/usr/bin/scripts/install_firmware.sh /tmp/postfile.bin") system("/mnt/update_firmware.sh &") ``` The function ensures that the request comes from the network "10.123.234", then saves the uploaded firmware to "/tmp/postfile.bin" and continues the update using shell scripts. The "install_firmware.sh" contains the following code: ``` #!/bin/sh ... CIRCLE_ROOT=`cat /tmp/CIRCLE_ROOT` if [ -s $1 ]; then cd /mnt; rm -f update_firmware.sh; rm -f /mnt/firmware.bin; cp -f $1 /mnt/firmware.bin if [ -f /mnt/firmware.bin ] ; then mount -o remount,rw,noatime,nodiratime /dev/sda3 /mnt #remount to remove sync aescrypt -d -o /mnt/firmware.tar.gz /mnt/firmware.bin $CIRCLE_ROOT/fwverify /mnt/firmware.tar.gz > /tmp/tmp.out || exit 1; grep "Verified signature" /tmp/tmp.out > /dev/null || exit 1 gunzip -c /mnt/firmware.tar.gz | tar xf - rm -f /mnt/firmware.tar.gz ... ``` First the firmware is decrypted using `aescrypt` resulting in a tar archive with a 0x200 bytes signature at its end. Then this archive is verified using `fwverify` and if the output contains "Verified signature" then the archive is extracted in "/mnt", allowing for overwriting most of the device binaries. `aescrypt` performs a symmetric AES encryption and can be used by an attacker to create custom firmware images by using the switch "-e" in place of "-d". Moreover, since the signature verification and the update operations are not executed atomically, a race condition exists which could allow an attacker to supply an unsigned firmware that will be flashed without verification ([A] and [B] are used to refer to two parallel requests): ``` 1- [A] Attacker sends an original and correctly signed firmware image 2- [A] aescrypt decrypts the image in /mnt/firmware.tar.gz 3- [A] fwverify reads /mnt/firmware.tar.gz and starts the verification process 4- [B] Attacker sends a custom, non signed firmware image 5- [B] aescrypt decrypts the image in /mnt/firmware.tar.gz 6- [A] fwverify completes the verification process, which outputs "Verified signature" 7- [A] grep succeeds and /mnt/firmware.tar.gz (from request B) is extracted in /mnt ``` ### Timeline * 2017-08-30 - Vendor Disclosure * 2017-10-31 - Public Release |
| id | SSV:96825 |
| last seen | 2017-11-19 |
| modified | 2017-11-09 |
| published | 2017-11-09 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-96825 |
| title | Circle with Disney Firmware Update Signature Check Bypass Vulnerability(CVE-2017-2898) |
Talos
| id | TALOS-2017-0405 |
| last seen | 2019-05-29 |
| published | 2017-10-31 |
| reporter | Talos Intelligence |
| source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0405 |
| title | Circle with Disney Firmware Update Signature Check Bypass Vulnerability |