UPDATE: A critical security flaw has been identified in a component of the latest version of Backtrack, a popular version of Linux that is used by security professionals for penetration testing. The flaw is in WICD, an open source utility that can be used to manage networks in Linux operating systems.
The previously undiscovered privilege escalation hole was disclosed in a post on the Web site of the Infosec Institute. It was discovered by a student taking part in an InfoSec Institute Ethical Hacking class, according to the post.
“The student in our ethical hacking class that found the 0day was using backtrack and decided to fuzz the program, as well as look through the source code,” wrote Jack Koziol, the Security Program Manager at the InfoSec Institute. “He found that he could overwrite config settings and gain a root shell.“
The security flaw was discovered in a component known as the Wireless Interface Connection Daemon (or WICD). The latest version of Backtrack and some other Linux distributions do a poor job “sanitizing” (or filtering) inputs to the WICD DBUS (Desktop Bus) interface – a component that allows different applications to communicate with each other. That means that attackers can push invalid configuration options to DBUS, which are then written to a WICD wireless settings configuration file. The improper settings could include scripts or executables that would be run when certain events occur – such as the user connecting to a wireless network, according to the post, whose author asked to remain anonymous.
Any scripts or executables would run with the privileges of the root user, which could lead to arbitrary code or command execution by an attacker with access to the WICD DBUS interface, the Infosec Institute warned.
Backtrack Linux is an open source project that is maintained by the Backtrack Community. It is widely used by security professionals for penetration testing of networks. Rather than powering laptops or servers, Backtrack is a platform for running a wide range of pen testing tools and is often loaded from an external sources, such as a DVD or thumbdrive. Backtrack 5 R2 was released on March 1, 2012. The previous version, Backtrack 4, was downloaded over four million times, according to the Backtrack Web site. Other Linux distributions that include WICD are some versions of Slackware, Debian and Gentoo, among others.
However, Koziol says that the rapid evolution of the platform has also created more opportunity for attackers to break the operating system.
“It is a very popular OS for security people, and is really a great package. They do have a lot of programs installed on the OS now though, with quite a big attack surface, including the vulnerable wireless network card manager, wicd,” Koziol wrote in an e-mail.
InfoSec Institute has created a patch for the privilege escalation hole, as well as a proof of concept exploit. Both are available on the group’s Web site.
Koziol advised Backtrack users or those using other Linux distributions that are vulnerable to the wicd 0day in a multi-user environment to apply the InfoSec Institute use our patch.
“It is an open source patch, you can see exactly what is being patched, and clearly extremely low risk using our patch.”
Users who aren’t using it in a multi user environment could wait for an official patch, which is expected shortly.
This post was updated on April 13 to include new information and clarify that the flaw is not just in Backtrack Linux.