Backtrack 5 R2 priv escalation 0day found in CTF exercise

Viewing 16 reply threads
  • Author
    Posts
    • #7509
      infoseci
      Participant

      wicd Privilege Escalation 0Day
      Tested against Backtrack 5, 5 R2, Arch distributions

      Spawns a root shell. Has not been tested for potential remote exploitation vectors.

      Discovered by a student that wishes to remain anonymous in the course CTF. This 0day exploit for Backtrack 5 R2 was discovered by a student in the InfoSec Institute Ethical Hacking class, during an evening CTF exercise. The student wishes to remain anonymous, he has contributed a python version of the 0day, a patch that can be applied to wicd, as well as a writeup detailing the discovery and exploitation process. You can find a python version of the exploit and full write up with patch here: http://www.infosecinstitute.com/courses/ethical_hacking_training.html

    • #46864
      lorddicranius
      Participant

      Not so much a BackTrack 0day as it is a wicd 0day, isn’t it?

      Regardless, good find by the student.

    • #46865
      dynamik
      Participant

      @lorddicranius wrote:

      Not so much a BackTrack 0day as it is a wicd 0day, isn’t it?

      Right.

      The comments here sum up my thoughts. Did they even notify the dev and give them an opportunity to fix it themselves? This doesn’t seem to be setting a good example for the students.

      @http://threatpost.com/en_us/blogs/critical-flaw-found-security-pros-favorite-backtrack-linux-041112 wrote:

      1) The title of this vulnerability should probably be “WICD Priv Escalation”. As such, it should probably be reported to the WICD developers, as opposed to the BackTrack development team. If you still felt the bug report should be posted to us, the right place to post it would be “BackTrack bugs” (although it is not), or even better, our redmine ticket system.

      2) Giving the pre-requisites for the exploit to function would be helpful. In this case, you would need to create a non root user in BackTrack, have a remote attacker access BT with that non privileged account or have anunprivileged shell from a previous attack against another service, and then have that user attempt to connect to a wireless access point (assuming wicd is running as root). This is far from the default configuration in BackTrack, which further negates the title of this vulnerability.

      3) Making a mountain out of a molehill for the purpose of promoting a product or service is generally frowned upon by the security industry, especially when one already has a bad reputation.

      4) Once this bug is tended to by the WICD developers, we will use their official patch rather than patching our packages using untrusted sources.

    • #46866
      Darktaurus
      Participant

      The OffSec Backtrack Pros did not take too kindly to it either:

      http://www.backtrack-linux.org/backtrack/backtrack-0day-privilege-escalation/

      “To summarise, we belive that the intentional misrepresentation of this bug report has discredited BackTrack unecessarily in the eyes of those who do not understand the underlying mechanisms of our OS, and also discredited the Infosec Institute in the eyes of those who do.”

    • #46867
      hayabusa
      Participant

      I fully agree with OffSec’s response

    • #46868
      dynamik
      Participant

      I’m pretty sure they wrote the comment in the article I linked to as well. Notice the “us” in the first point.

    • #46869
      Ignatius
      Participant

      It seems that ISI have been criticised over how this was handled.  I recall there was a lengthy dispute between ISI and PVE about the origin of some course material last year.  I haven’t been on any of their courses and this is merely an observation … but is it a coincidence?

    • #46870
      Darktaurus
      Participant

      @ajohnson wrote:

      I’m pretty sure they wrote the comment in the article I linked to as well. Notice the “us” in the first point.

      Good point.  I didn’t even notice that at first.  I think they are burning a lot of bridges with the wrong people…

      @Ignatius wrote:

      It seems that ISI have been criticised over how this was handled.  I recall there was a lengthy dispute between ISI and PVE about the origin of some course material last year.  I haven’t been on any of their courses and this is merely an observation … but is it a coincidence?

      I think you are correct.  I remember twitter was “on fire” when this happened.  Has anyone used ISI training at all?  Is this just unfortunate luck for ISI or does their coursework reflect this behavior?

      https://www.corelan.be/index.php/2011/11/18/copyright-dispute-resolved/

    • #46871
      lorddicranius
      Participant

      Dave Kennedy released a new version of SET today with a new addition to its license:

      Per my licensing, the INFOSEC Institute may no longer leverage any material or use of the program for any purposes as part of their training programs.

      https://www.secmaniac.com/blog/2012/04/12/disallowing-infosec-institute-to-leverage-set/

    • #46872
      SephStorm
      Participant

      Well I think that was unnecessary. yes, ISI had an issue that was resolved. I stand by the quality of their courses/training.

    • #46873
      lorddicranius
      Participant

      @SephStorm wrote:

      Well I think that was unnecessary. yes, ISI had an issue that was resolved. I stand by the quality of their courses/training.

      Changing his license wasn’t a diss on ISI’s courses.  He’s just looking for them to correct this mistake, and he’s not satisfied with what’s been done so far (judging from his tweets).

    • #46874
      j0rDy
      Participant

      in my opinion OffSec bit back a little too hard. sure they made it look worse than it is, and pointed out backtrack in particular while it is a vulnerability in an application that they use, not developed, but a simple statement that they are indeed vulnerable (which is a completely different discussion also, being a single user/root OS with a privilege escalation) but it is out of there hands because the vendor of the application needs to fix the bug, not them.

    • #46875
      SephStorm
      Participant

      I would agree with that. But I would also counter that every news agency in the US is guilty of the same thing. But ultimately you guys are correct, ISI needs to take a close look at what happened here and what they can do to learn from it.

      EDIT: they have modified the article above with the following statement:

      “Update 4/12/12: The wicd team has released a new version that fixes this bug (CVE-2012-2095). The title of this advisory upon release has been, and always has been “wicd Privilege Escalation 0Day
      Tested against Backtrack 5, 5 R2, Arch distributions”. When we tweeted and emailed to mailing lists the notifications of this vulnerability, we incorrectly shortened the title and called it “Backtrack 5 R2 priv escalation 0day “, which is misleading and could lead people to believe the bug was actually in Backtrack. The bug has always resided in wicd and not in any Backtrack team written code. We apologize for the confusion to the Backtrack team and any other persons affected by this error. We feel the Backtrack distro is a great piece of software and wish muts and the rest of the team the best. “

    • #46876
      j0rDy
      Participant

      ok, after reading this it seems that it all got a little bit blown out of proportion. Perhaps an honest mistake even? Still the problem is fixed, now we just have to wait for the update in backtrack.

    • #46877
      dynamik
      Participant

      @j0rDy wrote:

      ok, after reading this it seems that it all got a little bit blown out of proportion. Perhaps an honest mistake even?

      I think everyone’s patience with ISI is still a bit thin after the relatively recent Corelan debacle.

      @SephStorm wrote:

      we incorrectly shortened the title and called it “Backtrack 5 R2 priv escalation 0day “, which is misleading and could lead people to believe the bug was actually in Backtrack.

      That still seems obviously intentional. You don’t accidentally make the same mistake on Twitter, Full Disclosure, here, the Backtrack Forums, etc.

      It seems like ISI has a disconnect between the business side and the technical experts. I’ve worked at organizations like that before, and it’s extremely frustrating. I imagine the news of someone discovering a vulnerability while working with Backtracking making it to someone in marketing or upper management, and once that happens, it’s out of control and becomes an internet-wide embarrassment. I think it’s important to distinguish the business itself from the individual professionals that work there and not disparage them personally. This situation was likely out of their hands (and most probably didn’t find out about it until it was tweeted, etc.).

      At the same time, a good instructor or (hopefully original) courseware doesn’t excuse these types of mistakes. This whole situation was handled horribly. “Backtrack” attention-grabbing aside, they tweeted that they emailed muts a week before they released the news. First, you only give vendors a week to address vulnerabilities? Second, since they apparently new this was nothing specific to Backtrack, why are they emailing muts at all? Did they ever provide any notification to the wicd developers?

      I think the worst part of all this is that the student elected to remain anonymous because they rushed this story to the figurative newsstand. That guy or gal got completely screwed. Who wouldn’t want a feather in their cap for finding an exploit and writing a POC, even if it is rather trivial? Why not work with the developer, wait for an official patch to be released, and then post the write-up? It’s even more ridiculous because the wicd guys could crank this patch out quickly; it’s not like they’d be looking at an 18-month ETA from Oracle. Was this really such earth-shattering news that it couldn’t wait a couple weeks?

      Also, while this particular vulnerability was a non-issue, is this the type of disclosure we can expect from ISI? What if it was actually something serious? It seems a bit ironic to showcase this on their Ethical Hacking Training page.

    • #46878
      SephStorm
      Participant

      I think more than likely the student found the vulnerability and told it to the class, afterwards the instructor asked them if they wanted to disclose it and the person asked not to reveal their name. Then the instructor or another employee posted the info in all of the places it was found. I’m sure they were all posted around the same time. Now I dont know about the reported disclosure to muts, i didnt see that in the statement so I assume that was made elsewhere, but in anycase, I think likely they sent an email and perhaps didnt hear back, so they posted it?

      The point is, it was a mistake, more than likely not made with malicious intent. They gained nothing except notoriety, and as I think they have defiantly learned from this event.

    • #46879
      lorddicranius
      Participant

      And the SET licensing restriction has been removed!

      http://twitter.com/dave_rel1k/status/190921359109525504

      ISI’s response that seems to have resolved this issue:

      Info on the disclosure of the wicd 0day

Viewing 16 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2022 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?