CVE-2017-2913
An exploitable vulnerability exists in filtering functionality of Circle with Disney. SSL certificates for specific domain names can cause the Bluecoat library to accept a different certificate than intended. An attacker can host an HTTPS server with this certificate to trigger this vulnerability.
Circle with Disney 2.0.1
8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-300: Channel Accessible by Non-Endpoint (‘Man-in-the-Middle’)
Circle with Disney is a network device used to monitor and restrict internet use of children on a given network. When connected to a given network and configured, it immediately begins arp poisoning all filtered devices on the network, such that it can validate and restrict all traffic as is seen fit by the parent/administrator of the device.
Libbluecoat.so is a shared library linked into the timetracker and filterd binaries within the Disney Circle, and is the communications mechanism through which the Disney Circle can talk to the Blue Coat Systems API. If the Circle doesn’t know what to do with a given DNS name or IP address that has been requested by a filtered device, it will ask the Blue Coat infrastructure, and take the appropriate action as determined by Blue Coat. Whenever a new destination address is seen, and it is not found within the local ‘bluecache’ (a custom hash table cache stored on the device) libbluecoat will query outbound to find the designated action, and then cache the result. The timetracker and filterd services act on different network activities, however the end result is the same. In total, they end up covering TCP, UDP, and the IP protocols used for VPNs, ESP and GRE. It’s also worth noting that there are more product specific codeflows, such as one for the Google Mobilizer Proxy.
In more detail, both binaries call the same library function, bluecoat_query, which leads to the main control flow, inside of the do_bluecoat_query function. This function sets up an SSL connection to sp.cwfservice.net, a Blue Coat Systems controlled domain, and then does a rather simple request.
aGet2RSCmiCircl:.ascii "GET /2/R/%s/CMI-CIRCLE01/0/GET/dns/%s/80/ HTTP/1.1\r\n"
.rodata:000048D8 .ascii "User-Agent: Circle \r\n"
.rodata:000048D8 .ascii "Host: http://sp.cwfservice.net\r\n"
.rodata:000048D8 .ascii "\r\n"<0>
Where by the first ‘%s’ is the unique mac address of the Circle making the request, and the second ‘%s’ is the DNS name in question, which could potentially be some sensitive information.
Regardless, backing up a little bit, there is some SSL validation that occurs before this information is ever transmitted.
do_bluecoat_query+228 la $t9, X509_get_subject_name
do_bluecoat_query+22C move $a0, $v0
do_bluecoat_query+230 jalr $t9 ; X509_get_subject_name [1]
do_bluecoat_query+234 sb $zero, 0x618+X509_oneline_dst_buff($sp)
do_bluecoat_query+238 lw $gp, 0x618+var_600($sp)
do_bluecoat_query+23C addiu $s0, $sp, 0x618+X509_oneline_dst_buff
do_bluecoat_query+240 la $t9, X509_NAME_oneline
do_bluecoat_query+244 move $a1, $s0
do_bluecoat_query+248 move $a0, $v0
do_bluecoat_query+24C jalr $t9 ; X509_NAME_oneline [3]
do_bluecoat_query+250 li $a2, 0x400
do_bluecoat_query+254 lw $gp, 0x618+var_600($sp)
As shown at [1] libbluecoat.so gets the X509 subject name of the certificate, and then at [2], uses this to call X509_NAME_oneline, which grabs a lot of the information from the certificate attributes, joins it all into one line, and then stores it into a buffer on the stack [3] of max size 0x400. An example return string might be:
`/C=US/ST=Sad/L=boop/O=<(^_^)>/CN=boopdoop.net`
While the interesting behavior of the X509_NAME_oneline can lead to some other vulnerabilites, like including the string ‘CN=*.sp.cwfservice.net” inside of another attribute ( For a great writeup of this: [https://langui.sh/2016/01/29/x509-name-oneline/])(https://langui.sh/2016/01/29/x509-name-oneline/) ) , however, due to reasons mentioned a little further down, the binary was not vulnerable to this, as we could not get a certificate signed by the specific CA to be formed as such.
However, due to how they actually check the Common Name attribute of the SSL cert, the binary was left vulnerable to another attack vector:
do_bluecoat_query+23C addiu $s0, $sp, 0x618+X509_oneline_dst_buff
[...]
do_bluecoat_query+258 move $a0, $s0 # haystack [1]
do_bluecoat_query+25C li $a1, 0
do_bluecoat_query+260 la $t9, strstr
do_bluecoat_query+264 nop
do_bluecoat_query+268 jalr $t9 ; strstr [3]
do_bluecoat_query+26C addiu $a1, aCnSp_cwfservic # "CN=sp.cwfservice.net" [2]
do_bluecoat_query+270 lw $gp, 0x618+var_600($sp)
do_bluecoat_query+274 beqz $v0, loc_2B88
do_bluecoat_query+278 nop
do_bluecoat_query+27C li $fp, 0x10000
do_bluecoat_query+280 nop
do_bluecoat_query+284 lw $v0, (x509_store_initialized_15360 - 0x10000)($fp)
do_bluecoat_query+288 nop
do_bluecoat_query+28C beqz $v0, loc_28A0
do_bluecoat_query+290 nop
do_bluecoat_query+294 li $v1, 0x10000
do_bluecoat_query+298 nop # Cert already inited
do_bluecoat_query+29C sw $v1, 0x618+var_30($sp)
do_bluecoat_query+2A0
Picking up from where we left off, we continue from immediately after the X509_NAME_oneline() function call [1], with the X509_NAME_online string stored in $s0. This string is compared is compared against “CN=sp.cwfservice.net” [2], with the strstr() function [3], which returns a pointer to the first match of register $a1 in $a0 (and NULL otherwise).
Since this is the only check upon the Common Name attribute, it becomes possible to bypass this check by buying the following domain: cwfservice.network.
The return value from X509_oneline_name will look as such:
"/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=sp.cwfservice.network”
And then the resulting call to strstr will return CN=sp.cwfservice.network.
It should be cautioned that certificate presented by the MITM server needs to have its trust chain signed by the Entrust CA. The binary has a CA DER-encoded cert chain located inside that is read into memory and then utilized to validate the outbound SSL connection.
2017-08-29 - Vendor Disclosure
2017-10-31 - Public Release
Discovered by Lilith Wyatt and Claudio Bozzato of Cisco Talos.