Vulnerabilities > CVE-2017-2913 - Improper Certificate Validation vulnerability in Meetcircle Circle With Disney Firmware 2.0.1

047910
CVSS 5.9 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
HIGH
Availability impact
NONE
network
high complexity
meetcircle
CWE-295

Summary

An exploitable vulnerability exists in the filtering functionality of Circle with Disney. SSL certificates for specific domain names can cause the Bluecoat library to accept a different certificate than intended. An attacker can host an HTTPS server with this certificate to trigger this vulnerability.

Vulnerable Configurations

Part Description Count
OS
Meetcircle
1
Hardware
Meetcircle
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Creating a Rogue Certificate Authority Certificate
    An attacker exploits a weakness in the MD5 hash algorithm (weak collision resistance) to generate a certificate signing request (CSR) that contains collision blocks in the "to be signed" part. The attacker specially crafts two different, but valid X.509 certificates that when hashed with the MD5 algorithm would yield the same value. The attacker then sends the CSR for one of the certificates to the Certification Authority which uses the MD5 hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the attacker which is signed with its private key. An attacker then takes that signed blob and inserts it into another X.509 certificate that the attacker generated. Due to the MD5 collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the attackers' second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. To make the attack more interesting, the second certificate could be not just a regular certificate, but rather itself a signing certificate. Thus the attacker is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attackers' first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will now the Certificate Authority set up by the attacker and of course any certificates that it signs. So the attacker is now able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec) .

Seebug

bulletinFamilyexploit
description### Summary An exploitable vulnerability exists in filtering functionality of Circle with Disney. SSL certificates for specific domain names can cause the Bluecoat library to accept a different certificate than intended. An attacker can host an HTTPS server with this certificate to trigger this vulnerability. ### Tested Versions Circle with Disney 2.0.1 ### Product URLs https://meetcircle.com/ ### CVSSv3 Score 8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H ### CWE CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') ### Details Circle with Disney is a network device used to monitor and restrict internet use of children on a given network. When connected to a given network and configured, it immediately begins arp poisoning all filtered devices on the network, such that it can validate and restrict all traffic as is seen fit by the parent/administrator of the device. Libbluecoat.so is a shared library linked into the timetracker and filterd binaries within the Disney Circle, and is the communications mechanism through which the Disney Circle can talk to the Blue Coat Systems API. If the Circle doesn't know what to do with a given DNS name or IP address that has been requested by a filtered device, it will ask the Blue Coat infrastructure, and take the appropriate action as determined by Blue Coat. Whenever a new destination address is seen, and it is not found within the local 'bluecache' (a custom hash table cache stored on the device) libbluecoat will query outbound to find the designated action, and then cache the result. The timetracker and filterd services act on different network activities, however the end result is the same. In total, they end up covering TCP, UDP, and the IP protocols used for VPNs, ESP and GRE. It's also worth noting that there are more product specific codeflows, such as one for the Google Mobilizer Proxy. In more detail, both binaries call the same library function, `bluecoat_query`, which leads to the main control flow, inside of the `do_bluecoat_query` function. This function sets up an SSL connection to sp.cwfservice.net, a Blue Coat Systems controlled domain, and then does a rather simple request. ``` aGet2RSCmiCircl:.ascii "GET /2/R/%s/CMI-CIRCLE01/0/GET/dns/%s/80/ HTTP/1.1\r\n" .rodata:000048D8 .ascii "User-Agent: Circle \r\n" .rodata:000048D8 .ascii "Host: http://sp.cwfservice.net\r\n" .rodata:000048D8 .ascii "\r\n"<0> ``` Where by the first '%s' is the unique mac address of the Circle making the request, and the second '%s' is the DNS name in question, which could potentially be some sensitive information. Regardless, backing up a little bit, there is some SSL validation that occurs before this information is ever transmitted. ``` do_bluecoat_query+228 la $t9, X509_get_subject_name do_bluecoat_query+22C move $a0, $v0 do_bluecoat_query+230 jalr $t9 ; X509_get_subject_name [1] do_bluecoat_query+234 sb $zero, 0x618+X509_oneline_dst_buff($sp) do_bluecoat_query+238 lw $gp, 0x618+var_600($sp) do_bluecoat_query+23C addiu $s0, $sp, 0x618+X509_oneline_dst_buff do_bluecoat_query+240 la $t9, X509_NAME_oneline do_bluecoat_query+244 move $a1, $s0 do_bluecoat_query+248 move $a0, $v0 do_bluecoat_query+24C jalr $t9 ; X509_NAME_oneline [3] do_bluecoat_query+250 li $a2, 0x400 do_bluecoat_query+254 lw $gp, 0x618+var_600($sp) ``` As shown at [1] libbluecoat.so gets the X509 subject name of the certificate, and then at [2], uses this to call X509NAMEoneline, which grabs a lot of the information from the certificate attributes, joins it all into one line, and then stores it into a buffer on the stack [3] of max size 0x400. An example return string might be: ``` /C=US/ST=Sad/L=boop/O=<(^_^)>/CN=boopdoop.net ``` While the interesting behavior of the X509NAMEoneline can lead to some other vulnerabilites, like including the string `'CN=*.sp.cwfservice.net”` inside of another attribute ( For a great writeup of this: [https://langui.sh/2016/01/29/x509-name-oneline/])(https://langui.sh/2016/01/29/x509-name-oneline/) ) , however, due to reasons mentioned a little further down, the binary was not vulnerable to this, as we could not get a certificate signed by the specific CA to be formed as such. However, due to how they actually check the Common Name attribute of the SSL cert, the binary was left vulnerable to another attack vector: ``` do_bluecoat_query+23C addiu $s0, $sp, 0x618+X509_oneline_dst_buff [...] do_bluecoat_query+258 move $a0, $s0 # haystack [1] do_bluecoat_query+25C li $a1, 0 do_bluecoat_query+260 la $t9, strstr do_bluecoat_query+264 nop do_bluecoat_query+268 jalr $t9 ; strstr [3] do_bluecoat_query+26C addiu $a1, aCnSp_cwfservic # "CN=sp.cwfservice.net" [2] do_bluecoat_query+270 lw $gp, 0x618+var_600($sp) do_bluecoat_query+274 beqz $v0, loc_2B88 do_bluecoat_query+278 nop do_bluecoat_query+27C li $fp, 0x10000 do_bluecoat_query+280 nop do_bluecoat_query+284 lw $v0, (x509_store_initialized_15360 - 0x10000)($fp) do_bluecoat_query+288 nop do_bluecoat_query+28C beqz $v0, loc_28A0 do_bluecoat_query+290 nop do_bluecoat_query+294 li $v1, 0x10000 do_bluecoat_query+298 nop # Cert already inited do_bluecoat_query+29C sw $v1, 0x618+var_30($sp) do_bluecoat_query+2A0 ``` Picking up from where we left off, we continue from immediately after the X509NAMEoneline() function call [1], with the X509NAMEonline string stored in $s0. This string is compared is compared against “CN=sp.cwfservice.net” [2], with the strstr() function [3], which returns a pointer to the first match of register $a1 in $a0 (and NULL otherwise). Since this is the only check upon the Common Name attribute, it becomes possible to bypass this check by buying the following domain: `cwfservice.network`. The return value from X509onelinename will look as such: ``` "/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=sp.cwfservice.network” ``` And then the resulting call to strstr will return `CN=sp.cwfservice.network`. It should be cautioned that certificate presented by the MITM server needs to have its trust chain signed by the Entrust CA. The binary has a CA DER-encoded cert chain located inside that is read into memory and then utilized to validate the outbound SSL connection. ### Timeline * 2017-08-29 - Vendor Disclosure * 2017-10-31 - Public Release
idSSV:96813
last seen2017-11-19
modified2017-11-08
published2017-11-08
reporterRoot
titleCircle with Disney libbluecoat.so SSL TLD MITM Vulnerability(CVE-2017-2913)

Talos

idTALOS-2017-0420
last seen2019-05-29
published2017-10-31
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0420
titleCircle with Disney libbluecoat.so SSL TLD MITM Vulnerability