0-day in Backtrack Linux found, patched
Posted on 12 April 2012.
A zero-day vulnerability affecting the last version of Backtrack Linux has been spotted by a student during an Ethical Hacking class organized by the InfoSec Institute.

The discovery was made public on InfoSec's own website and detailed by the student himself, who says that the Wireless Interface Connection Daemon (WICD) Backtrack components has several design flaws that can be misused to execute a privilege escalation exploit.

"Improper sanitization of the inputs in the WICD's DBUS interfaces allows an attacker to (semi)arbitrarily write configuration options in WICD's 'wireless-settings.conf' file, including but not limited to defining scripts (executables actually) to execute upon various internal events (for instance upon connecting to a wireless network)," he explained.

"These scripts execute as the root user, this leads to arbitrary code/command execution by an attacker with access to the WICD DBUS interface as the root user."

The student and the InfoSec team immediately started on working on a proof-of-concept exploit and the patch for the vulnerability, all of which is provided on the group's site.

Backtrack is a Linux distribution popular with penetration testers all over the world because it comes preloaded with hundreds of handy security tools. The vulnerability affects the latest version - Backtrack 5 R2.

Users can use the patch offered by the group or, better yet, update WICD to the new version (1.7.2) which fixes the vulnerability.

Update: The Backtrack team commented on this issue, read more here.






Spotlight

The role of the cloud in the modern security architecture

Posted on 31 July 2014.  |  Stephen Pao, General Manager, Security Business at Barracuda Networks, offers advice to CISOs concerned about moving the secure storage of their documents into the cloud and discusses how the cloud shaping the modern security architecture.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Aug 1st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //