Critical Flaw Found In WICD Component in Some Versions of Linux

UPDATE: A critical security flaw has been identified in a component of the latest version of Backtrack, a popular version of Linux that is used by security professionals for penetration testing. The flaw is in WICD, an open source utility that can be used to manage networks in Linux operating systems.

UPDATE: A critical security flaw has been identified in a component of the latest version of Backtrack, a popular version of Linux that is used by security professionals for penetration testing. The flaw is in WICD, an open source utility that can be used to manage networks in Linux operating systems.

The previously undiscovered privilege escalation hole was disclosed in a post on the Web site of the Infosec Institute. It was discovered by a student taking part in an InfoSec Institute Ethical Hacking class, according to the post.

The student in our ethical hacking class that found the 0day was using backtrack and decided to fuzz the program, as well as look through the source code,” wrote Jack Koziol, the Security Program Manager at the InfoSec Institute. “He found that he could overwrite config settings and gain a root shell.

The security flaw was discovered in a component known as the Wireless Interface Connection Daemon (or WICD). The latest version of Backtrack and some other Linux distributions do a poor job “sanitizing” (or filtering) inputs to the WICD DBUS (Desktop Bus) interface – a component that allows different applications to communicate with each other. That means that attackers can push invalid configuration options to DBUS, which are then written to a WICD wireless settings configuration file. The improper settings could include scripts or executables that would be run when certain events occur – such as the user connecting to a wireless network, according to the post, whose author asked to remain anonymous.

Any scripts or executables would run with the privileges of the root user, which could lead to arbitrary code or command execution by an attacker with access to the WICD DBUS interface, the Infosec Institute warned.

Backtrack Linux is an open source project that is maintained by the Backtrack Community. It is widely used by security professionals for penetration testing of networks. Rather than powering laptops or servers, Backtrack is a platform for running a wide range of pen testing tools and is often loaded from an external sources, such as a DVD or thumbdrive. Backtrack 5 R2 was released on March 1, 2012. The previous version, Backtrack 4, was downloaded over four million times, according to the Backtrack Web site. Other Linux distributions that include WICD are some versions of Slackware, Debian and Gentoo, among others.

However, Koziol says that the rapid evolution of the platform has also created more opportunity for attackers to break the operating system. 

It is a very popular OS for security people, and is really a great package. They do have a lot of programs installed on the OS now though, with quite a big attack surface, including the vulnerable wireless network card manager, wicd,” Koziol wrote in an e-mail.

InfoSec Institute has created a patch for the privilege escalation hole, as well as a proof of concept exploit. Both are available on the group’s Web site.

Koziol advised Backtrack users or those using other Linux distributions that are vulnerable to the wicd 0day in a multi-user environment to apply the InfoSec Institute use our patch.

“It is an open source patch, you can see exactly what is being patched, and clearly extremely low risk using our patch.”

Users who aren’t using it in a multi user environment could wait for an official patch, which is expected shortly. 

This post was updated on April 13 to include new information and clarify that the flaw is not just in Backtrack Linux.

Suggested articles

Discussion

  • Anonymous on

    You need to be able to send arbitrary Dbus messages, so you need either local access or to remotely compromise the system (in which case you already won). This article is ridiculous and much ado about nothing.
  • Anonymous on

    What crappy reporting. Did you even look to see if there is an offical response at all?

    Check out the backtrack forums for a discission about this:

     


    1) The title of this vulnerability should probably be "WICD Priv Escalation". As such, it should probably be reported to the WICD developers, as opposed to the BackTrack development team. If you still felt the bug report should be posted to us, the right place to post it would be "BackTrack bugs" (although it is not), or even better, our redmine ticket system.

    2) Giving the pre-requisites for the exploit to function would be helpful. In this case, you would need to create a non root user in BackTrack, have a remote attacker access BT with that non privileged account or have anunprivileged shell from a previous attack against another service, and then have that user attempt to connect to a wireless access point (assuming wicd is running as root). This is far from the default configuration in BackTrack, which further negates the title of this vulnerability.

    3) Making a mountain out of a molehill for the purpose of promoting a product or service is generally frowned upon by the security industry, especially when one already has a bad reputation. 

    4)
     Once this bug is tended to by the WICD developers, we will use their official patch rather than patching our packages using untrusted sources.

  • Anonymous on

    wicd team rates the vulnerability as critical:

    bugs.launchpad.net/wicd/+bug/979221

    Version 1.7.2 patches the bug within 8 hours of the 0day being released:

    launchpad.net/wicd/+announcement/9888

    Sure get a fast response with full disclosure of 0day! 

  • Who Cares on

    Backtrack sucks royal d***. Honestly, who really cares what packages are vulnerable. If you don't want to be vulnerable to failsauce, then don't use Backtrack. It's as simple as that. Try installing your own flavor of linux and personalize it with the tools you actually need. Not installed with a bunch of tools that a bunch of tools claim you need. Pro Tip: Even if you are a lazy f***, try and use a more appropriate distro like Pentoo. The more important question is who is the backtrack dev that posted that ridiculous comment as anonymous? Got ballz? My guess is this was pure_hate since he is known to flamboyantly whine behind closed doors about people who hate on Backtrack.

  • Anonymous on

    Just Downloaded R2 and Now im Deleting It 

     

  • Anonymous on

    what does it means "priv escalation" in a distro where the default user is ROOT ? O.O

  • Steve on

    Well this site doesn't seem to know what a real story is ...

     

  • Anonymous (No not that one...) on

    >:)

  • Anonymous on

    haha looks to me like InfoSec trying to get recogniation for their CEH course..

    Certified Ethical Hacker.. what a joke!!!

  • Anonymous on

    Mac's get hacked and now it's Linux's turn, two major upsets in one week
  • PuZZleDucK on

    It does seem a bit odd to label this a "Backtrack" flaw when it is an acknoleged (even in the text of your article!!!) "WICD" flaw present in dozens of distribuitions. The distribuition affected the least must be Backtrack (runs as root anyway, generaly from removable media in a single user scenario)

  • footz79 on

    As someone who has taken an Infosec Institute class, I second the thought that they were just doing this for attention. These guys are bottom feeders.
  • Sean on

    The effort put in to this story is pathetic.

    Making the jump from WICD privilege escalation flaw to discussing BackTrack specifically is misleading. The flaw exists in WICD, which is not exclusive to Backtrack. You say this in the article, yet you continue to talk specifically about the BackTrack distribution. Why not focus on the real source of the problem, those who develop WICD?

    I get it, a story about a security flaw in a security testing distribution is much more interesting than a security flaw in a tool that is available to a much wider audience than security pros/novices/etc.

    Try harder.

    PS: Since you decided to focus on BackTrack, you could have at least given your readers this tip: If you are running BackTrack and still find this story interesting or informative, you should probably know that unless you created a new user account (and granted it basic privileges), you are already root. This means that attempting to escalate your privileges is nonsensical.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.