Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
Kismet Wireless Network Sniffing Software May Let Local Users Gain Root Access or Remote Users Execute Arbitrary Code on the System
|
|
SecurityTracker Alert ID: 1004408 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 29 2002
|
Impact: Execution of arbitrary code via network, Root access via local system, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 2.2.1 and prior versions
|
Description: Two vulnerabilities were reported in the Kismet wireless network sniffer software. A remote user may be able to execute arbitrary code on the system. A local user may be able to gain root access on the system.
According to the report, the exploitability of these flaws has not yet been confirmed. However, both the vendor and the author of
the report consider the bugs to be potentially exploitable.
It is reported that a remote user could supply an 'essid' that contains
certain characters (e.g., pipe, backtick) to cause the Kismet SayText() function to execute arbitrary commands on the system. This
is apparently due to the lack of input validation on the 'essid' network name. When the SayText() function makes a system call
passing user-supplied 'essid' information to the system, remotely supplied commands in the 'essid' may be executed by the system
call.
The vulnerable function is reportedly called in kismet_server.cc and kismet_curses.cc, where Festival text (for text-to-speech)
is passed to the function.
A demonstration exploit 'essid' is provided:
ESSID:"`/bin/sh -c id`"
According to the report,
not all systems will allow these special characters in the 'essid' value.
No details were provided on the local root hole, other
than a note that it is a buffer overflow invoked by command line.
|
Impact: A remote user may be able to execute arbitrary system commands on the system. A local user may be able to gain root level privileges on the system.
|
Solution: The vendor has issued a fixed version (2.2.2) addressing both vulnerabilities, available at:
http://www.kismetwireless.net/download.shtml
|
Vendor URL: www.kismetwireless.net/ (Links to External Site)
|
Cause: Boundary error, Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: KF <dotslash@snosoft.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 29 May 2002 00:49:55 -0400
From: KF <dotslash@snosoft.com>
Subject: New Kismet Packages available - SayText() and suid kismet_server issues
|
I have discovered 2 potentially exploitable holes in the wireless
sniffer package Kismet. Both issues have been addressed by the author. I
am in the process of determining if the local command line overflow is
exploitable or not. The other issue may be dependant on if your OS will
allow you to specify an essid containing a backtick or a pipe char.
http://www.kismetwireless.net/CHANGELOG
May 28 2002 2.2.2 !! 2.2.2 released - fixes potentially exploitable remote
hole in Festival saytext. !!
May 27 2002 2.2.1 !! 2.2.1 released - potentially exploitable local root
hole fixed !!
http://www.kismetwireless.net/code/kismet-2.2.2.tar.gz
http://www.kismetwireless.net/code/kismet-2.2.2.diff
Possible remote code execution via SayText() function of Kismet wireless
> >>sniffer
> >>If your OS allows essids to contain ` or | and it allows you to broadcast
> >>them... then this could be used to help abuse someones wireless sniffer.
> >>
> >>Kismet does the following
> >>
> >>// Fork and run a system call to play a sound
> >>void SayText(string player, string text) {
> >> char snd_call[1024];
> >>
> >> snprintf(snd_call, 1024, "echo '(SayText \"%s\")' | %s &",
> >> text.c_str(),
> >> player.c_str());
> >>
> >> if (system(snd_call) < 0) {
> >> ...
> >>
> >>so if my network name is `/bin/sh -c rm -rf ~` then thats a problem
> >>
> >>This function is called in 2 places....
> >>
> >>./kismet_server.cc: snprintf(snd_call, 1024, "echo '(SayText \"%s\")'
> >>| %s &", text.c_str(),
> >>./kismet_server.cc: SayText(festival, text);
> >>./kismet_curses.cc:void SayText(string player, string text) {
> >>./kismet_curses.cc: snprintf(snd_call, 1024, "echo '(SayText \"%s\")'
> >>| %s >/dev/null 2>/dev/null &", text.c_str(),
> >>./kismet_curses.cc: SayText(festival, text);
> >>
> >>My linux box appears to be able to supply an essid with a backtick
> >>[root@localhost <mailto:root@localhost> root]# iwconfig eth0 essid "\`/bin/sh
-c id\`"
> >>[root@localhost <mailto:root@localhost> root]# iwconfig eth0
> >>eth0 IEEE 802.11-DS ESSID:"`/bin/sh -c id`" Nickname:"Prism I"
> >> Mode:Managed Frequency:42.9497GHz Access Point:
> >> 44:44:44:44:44:44
> >> Bit Rate:2Mb/s Tx-Power=15 dBm Sensitivity:1/3
> >> Retry min limit:8 RTS thr:off Fragment thr:off
> >> Encryption key:off
> >> Power Management:off
> >>
> >>
> >>This is to proove the theory... I think since iwconfig lets it happen
> >>above this is a valid test. My apple base station would NOT allow ` or |
> >>in its network name so this is all I can do to test this theory.
> >>
> >>in kismet_server.c make the following change.
> >>
> >> snprintf(text, 100, "New %s network '%s' detected.",
> >> (info.wep ? "En-crypted" : "Un-en-crypted"
),
> >> //info.ssid);
> >> "`/bin/sh -c id`");
> >>
> >>upon firing up the server I was greeted by festival in a british accent
> >>saying "U I D equals zero G I D equals zero ..." once I dectected a valid
> >>network.
> >>again this would require you to create a valid packet with the info.ssid
> >>set to your command enclosed in backticks. Above I forced this data...
> >>
> >>This could be a nice form of reverse warfare for "Wardrivers" using
> >>kismet. have fun
> >>
> >>
-KF
|
|
Go to the Top of This SecurityTracker Archive Page
|
