CVE-2017-12094
An exploitable vulnerability exists in the WiFi Channel parsing of Circle with Disney running firmware 2.0.1. A specially crafted SSID can cause the device to execute arbitrary sed commands. An attacker needs to setup an access point reachable by the device to trigger this vulnerability.
Circle with Disney 2.0.1
7.4 - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
Circle with Disney is a network device used to monitor internet use of children on a given network.
At the end of the boot process, the script “/mnt/shares/usr/bin/startcircle” is executed. The script configures NTP, network interfaces, firewall rules and starts cronjobs.
Part of the script configures an Access Point, which is actually useful only for the initial configuration of the device.
...
# [1]
$DIR/scripts/aplist_create.sh
# [2]
best_ch=`awk 'BEGIN{max=-1000;} /Channel:/{ch=$4} /Signal/{s=$2+0; if (s>max){ max=s; maxch=ch}} END{print maxch}' /tmp/
ap_list.out`
[ "x$best_ch" != "x" ] && {
echo $best_ch > /tmp/current_channel
# [3]
sed -i "s/channel=.*/channel=$best_ch/g" /tmp/hostapd.conf
}
...
At [1] the script calls aplist_create.sh, which has the following contents:
#!/bin/sh
ifconfig ra0 up
iwinfo ra0 scan > /tmp/ap_list.out # [4]
`iwinfo` [4] prints a list of Access Points detected by `ra0`, every entry has the following form:
Cell 01 - Address: 11:22:33:44:55:66
ESSID: "valid-ssid"
Mode: Master Channel: 1
Signal: -22 dBm Quality: 70/70
Encryption: WPA2 PSK (CCMP)
After creating “ap_list.out” at [1], the initial script will select the channel that has the best signal.
The channel is extracted as a string, using awk with its default field separators [2].
Finally at [3] the channel is used in a sed substitution command, without any sanitization.
An SSID field in an 802.11 frame has a maximum length of 32 bytes and can contain any character.
Moreover, iwinfo will print the characters found in the SSID without escaping.
This means that an attacker may use an SSID containing new-line characters to add arbitrary lines to the iwinfo output.
This allows an attacker to control the channel string returned by awk, which gets passed to sed at [3].
The following proof of concept shows how to freeze the box on startup by broadcasting a specific SSID. The box will need manual power-cycling to boot again.
$ cat << 'EOF' > hostapd.conf
interface=wlan0
channel=1
ssid2=P"Channel: x /;:x/g;bx #Signal"
EOF
$ hostapd -B ./hostapd.conf
The SSID above is injected in the sed substitution command. Since semicolons are not escaped, they can be used to inject a new sed command.
In this example the injection creates an infinite loop by defining a “x/g” label and by jumping to it using “bx/g” (the ending “/g” is added by circle’s script at [3]).
2017-09-20 - Vendor Disclosure
2017-10-31 - Public Release
Discovered by Claudio Bozzato and Lilith Wyatt <(^_^)> of Cisco Talos.