Student stiffs penetration tool BackTrack Linux with 0-day
A student has discovered a critical vulnerability in BackTrack, a flavour of Linux that’s a favourite among security pros.
The previously undiscovered (hence zero-day) privilege escalation bug in the network penetration-testing distro was discovered during an ethical hacking class organised by the InfoSec Institute.
Jack Koziol, security programme manager at the institute, explained that the bug in Backtrack 5 R2 (the latest version) allowed the student to overwrite settings to gain a root shell. The flaw was found in wicd (the Wireless Interface Connection Daemon), which has not been tested for “potential remote exploitation vectors” according to Koziol.
The security flaw was discovered during fuzzing, which is a technique that lobs random or unexpected data at software to trigger vulnerabilities. While it’s unclear if it could be exploited remotely, it still needs fixing.
The security bug stems from a failure to sanitise user inputs, a deficiency that creates a mechanism to start a given executable or script with root-level privileges on systems running the daemon, provided the hacker has local hands-on access.
“This 0-day exploit for BackTrack 5 R2 was discovered by a student in the InfoSec Institute ethical hacking class, during an evening capture-the-flag exercise,” Koziol explained. “The student wishes to remain anonymous, he has contributed a python version of the 0-day, a patch that can be applied to wicd, as well as a writeup detailing the discovery and exploitation process.”
More details, with a proof-of-concept exploit and patch can be found, on the institute’s website here.
Developers rated the bug “critical” and put out an advisory and an (official) patched version of wicd 1.7.2, which fixes the issue.
The cleverclogs who discovered the flaw enjoyed a breakfast of champions, Koziol explained.
“Usually the winner of the CTF exercise in the ethical hacking course gets a free InfoSec polo shirt, and the instructor buys him or her a beer. This guy was so excited he found the bug he stayed up all night making an exploit and patch and ended up having the beer for breakfast the day after while the rest of the class ate pancakes.” ®