wicd Privilege Escalation 0Day
Tested against Backtrack 5, 5 R2, Arch distributions
 
Spawns a root shell. Has not been tested for potential remote exploitation vectors.

Discovered by a student that wishes to remain anonymous in the course CTF. This 0day exploit for Backtrack 5 R2 was discovered by a student in the InfoSec Institute Ethical Hacking class, during an evening CTF exercise. The student wishes to remain anonymous, he has contributed a python version of the 0day, a patch that can be applied to wicd, as well as a writeup detailing the discovery and exploitation process. You can find a python version of the exploit and full write up with patch here: http://www.infosecinstitute.com/courses/ethical_hacking_training.html

Right.

The comments here sum up my thoughts. Did they even notify the dev and give them an opportunity to fix it themselves? This doesn't seem to be setting a good example for the students.

I fully agree with OffSec's response

It seems that ISI have been criticised over how this was handled.  I recall there was a lengthy dispute between ISI and PVE about the origin of some course material last year.  I haven't been on any of their courses and this is merely an observation ... but is it a coincidence?

Dave Kennedy released a new version of SET today with a new addition to its license:


https://www.secmaniac.com/blog/2012/04/12/disallowing-infosec-institute-to-leverage-set/

Changing his license wasn't a diss on ISI's courses.  He's just looking for them to correct this mistake, and he's not satisfied with what's been done so far (judging from his tweets).

I would agree with that. But I would also counter that every news agency in the US is guilty of the same thing. But ultimately you guys are correct, ISI needs to take a close look at what happened here and what they can do to learn from it.

EDIT: they have modified the article above with the following statement:

"Update 4/12/12: The wicd team has released a new version that fixes this bug (CVE-2012-2095). The title of this advisory upon release has been, and always has been "wicd Privilege Escalation 0Day
Tested against Backtrack 5, 5 R2, Arch distributions". When we tweeted and emailed to mailing lists the notifications of this vulnerability, we incorrectly shortened the title and called it "Backtrack 5 R2 priv escalation 0day ", which is misleading and could lead people to believe the bug was actually in Backtrack. The bug has always resided in wicd and not in any Backtrack team written code. We apologize for the confusion to the Backtrack team and any other persons affected by this error. We feel the Backtrack distro is a great piece of software and wish muts and the rest of the team the best. "

I think everyone's patience with ISI is still a bit thin after the relatively recent Corelan debacle.


That still seems obviously intentional. You don't accidentally make the same mistake on Twitter, Full Disclosure, here, the Backtrack Forums, etc.

It seems like ISI has a disconnect between the business side and the technical experts. I've worked at organizations like that before, and it's extremely frustrating. I imagine the news of someone discovering a vulnerability while working with Backtracking making it to someone in marketing or upper management, and once that happens, it's out of control and becomes an internet-wide embarrassment. I think it's important to distinguish the business itself from the individual professionals that work there and not disparage them personally. This situation was likely out of their hands (and most probably didn't find out about it until it was tweeted, etc.).

At the same time, a good instructor or (hopefully original) courseware doesn't excuse these types of mistakes. This whole situation was handled horribly. "Backtrack" attention-grabbing aside, they tweeted that they emailed muts a week before they released the news. First, you only give vendors a week to address vulnerabilities? Second, since they apparently new this was nothing specific to Backtrack, why are they emailing muts at all? Did they ever provide any notification to the wicd developers?

I think the worst part of all this is that the student elected to remain anonymous because they rushed this story to the figurative newsstand. That guy or gal got completely screwed. Who wouldn't want a feather in their cap for finding an exploit and writing a POC, even if it is rather trivial? Why not work with the developer, wait for an official patch to be released, and then post the write-up? It's even more ridiculous because the wicd guys could crank this patch out quickly; it's not like they'd be looking at an 18-month ETA from Oracle. Was this really such earth-shattering news that it couldn't wait a couple weeks?

Also, while this particular vulnerability was a non-issue, is this the type of disclosure we can expect from ISI? What if it was actually something serious? It seems a bit ironic to showcase this on their Ethical Hacking Training page.