.

Backtrack 5 R2 priv escalation 0day found in CTF exercise

<<

infoseci

Newbie
Newbie

Posts: 18

Joined: Tue Nov 02, 2010 4:12 pm

Post Wed Apr 11, 2012 10:06 am

Backtrack 5 R2 priv escalation 0day found in CTF exercise

wicd Privilege Escalation 0Day
Tested against Backtrack 5, 5 R2, Arch distributions

Spawns a root shell. Has not been tested for potential remote exploitation vectors.

Discovered by a student that wishes to remain anonymous in the course CTF. This 0day exploit for Backtrack 5 R2 was discovered by a student in the InfoSec Institute Ethical Hacking class, during an evening CTF exercise. The student wishes to remain anonymous, he has contributed a python version of the 0day, a patch that can be applied to wicd, as well as a writeup detailing the discovery and exploitation process. You can find a python version of the exploit and full write up with patch here: http://www.infosecinstitute.com/courses/ethical_hacking_training.html
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Thu Apr 12, 2012 2:55 am

Re: Backtrack 5 R2 priv escalation 0day found in CTF exercise

Not so much a BackTrack 0day as it is a wicd 0day, isn't it?

Regardless, good find by the student.
GSEC, eCPPT, Sec+
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Apr 12, 2012 9:00 am

Re: Backtrack 5 R2 priv escalation 0day found in CTF exercise

lorddicranius wrote:Not so much a BackTrack 0day as it is a wicd 0day, isn't it?


Right.

The comments here sum up my thoughts. Did they even notify the dev and give them an opportunity to fix it themselves? This doesn't seem to be setting a good example for the students.

http://threatpost.com/en_us/blogs/critical-flaw-found-security-pros-favorite-backtrack-linux-041112 wrote:1) The title of this vulnerability should probably be "WICD Priv Escalation". As such, it should probably be reported to the WICD developers, as opposed to the BackTrack development team. If you still felt the bug report should be posted to us, the right place to post it would be "BackTrack bugs" (although it is not), or even better, our redmine ticket system.

2) Giving the pre-requisites for the exploit to function would be helpful. In this case, you would need to create a non root user in BackTrack, have a remote attacker access BT with that non privileged account or have anunprivileged shell from a previous attack against another service, and then have that user attempt to connect to a wireless access point (assuming wicd is running as root). This is far from the default configuration in BackTrack, which further negates the title of this vulnerability.

3) Making a mountain out of a molehill for the purpose of promoting a product or service is generally frowned upon by the security industry, especially when one already has a bad reputation.

4) Once this bug is tended to by the WICD developers, we will use their official patch rather than patching our packages using untrusted sources.
The day you stop learning is the day you start becoming obsolete.
<<

Darktaurus

User avatar

Full Member
Full Member

Posts: 181

Joined: Thu Sep 03, 2009 8:48 am

Post Thu Apr 12, 2012 9:11 am

Re: Backtrack 5 R2 priv escalation 0day found in CTF exercise

The OffSec Backtrack Pros did not take too kindly to it either:

http://www.backtrack-linux.org/backtrac ... scalation/


"To summarise, we belive that the intentional misrepresentation of this bug report has discredited BackTrack unecessarily in the eyes of those who do not understand the underlying mechanisms of our OS, and also discredited the Infosec Institute in the eyes of those who do."
OSCE, OSCP, OSWP, CISSP, GPEN

www.agoonie.com
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Thu Apr 12, 2012 9:12 am

Re: Backtrack 5 R2 priv escalation 0day found in CTF exercise

I fully agree with OffSec's response
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Apr 12, 2012 9:19 am

Re: Backtrack 5 R2 priv escalation 0day found in CTF exercise

I'm pretty sure they wrote the comment in the article I linked to as well. Notice the "us" in the first point.
The day you stop learning is the day you start becoming obsolete.
<<

Ignatius

Jr. Member
Jr. Member

Posts: 91

Joined: Sun Mar 22, 2009 9:51 am

Post Thu Apr 12, 2012 12:31 pm

Re: Backtrack 5 R2 priv escalation 0day found in CTF exercise

It seems that ISI have been criticised over how this was handled.  I recall there was a lengthy dispute between ISI and PVE about the origin of some course material last year.  I haven't been on any of their courses and this is merely an observation ... but is it a coincidence?
<<

Darktaurus

User avatar

Full Member
Full Member

Posts: 181

Joined: Thu Sep 03, 2009 8:48 am

Post Thu Apr 12, 2012 12:54 pm

Re: Backtrack 5 R2 priv escalation 0day found in CTF exercise

ajohnson wrote:I'm pretty sure they wrote the comment in the article I linked to as well. Notice the "us" in the first point.


Good point.  I didn't even notice that at first.  I think they are burning a lot of bridges with the wrong people...

Ignatius wrote:It seems that ISI have been criticised over how this was handled.  I recall there was a lengthy dispute between ISI and PVE about the origin of some course material last year.  I haven't been on any of their courses and this is merely an observation ... but is it a coincidence?


I think you are correct.  I remember twitter was "on fire" when this happened.  Has anyone used ISI training at all?  Is this just unfortunate luck for ISI or does their coursework reflect this behavior?


https://www.corelan.be/index.php/2011/1 ... -resolved/
OSCE, OSCP, OSWP, CISSP, GPEN

www.agoonie.com
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Thu Apr 12, 2012 1:16 pm

Re: Backtrack 5 R2 priv escalation 0day found in CTF exercise

Dave Kennedy released a new version of SET today with a new addition to its license:

Per my licensing, the INFOSEC Institute may no longer leverage any material or use of the program for any purposes as part of their training programs.


https://www.secmaniac.com/blog/2012/04/ ... erage-set/
GSEC, eCPPT, Sec+
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 569

Joined: Sat Apr 17, 2010 12:12 pm

Post Thu Apr 12, 2012 10:28 pm

Re: Backtrack 5 R2 priv escalation 0day found in CTF exercise

Well I think that was unnecessary. yes, ISI had an issue that was resolved. I stand by the quality of their courses/training.
sectestanalysis.blogspot.com/‎
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Thu Apr 12, 2012 11:49 pm

Re: Backtrack 5 R2 priv escalation 0day found in CTF exercise

SephStorm wrote:Well I think that was unnecessary. yes, ISI had an issue that was resolved. I stand by the quality of their courses/training.


Changing his license wasn't a diss on ISI's courses.  He's just looking for them to correct this mistake, and he's not satisfied with what's been done so far (judging from his tweets).
GSEC, eCPPT, Sec+
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Fri Apr 13, 2012 2:14 am

Re: Backtrack 5 R2 priv escalation 0day found in CTF exercise

in my opinion OffSec bit back a little too hard. sure they made it look worse than it is, and pointed out backtrack in particular while it is a vulnerability in an application that they use, not developed, but a simple statement that they are indeed vulnerable (which is a completely different discussion also, being a single user/root OS with a privilege escalation) but it is out of there hands because the vendor of the application needs to fix the bug, not them.
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 569

Joined: Sat Apr 17, 2010 12:12 pm

Post Fri Apr 13, 2012 6:11 am

Re: Backtrack 5 R2 priv escalation 0day found in CTF exercise

I would agree with that. But I would also counter that every news agency in the US is guilty of the same thing. But ultimately you guys are correct, ISI needs to take a close look at what happened here and what they can do to learn from it.

EDIT: they have modified the article above with the following statement:

"Update 4/12/12: The wicd team has released a new version that fixes this bug (CVE-2012-2095). The title of this advisory upon release has been, and always has been "wicd Privilege Escalation 0Day
Tested against Backtrack 5, 5 R2, Arch distributions". When we tweeted and emailed to mailing lists the notifications of this vulnerability, we incorrectly shortened the title and called it "Backtrack 5 R2 priv escalation 0day ", which is misleading and could lead people to believe the bug was actually in Backtrack. The bug has always resided in wicd and not in any Backtrack team written code. We apologize for the confusion to the Backtrack team and any other persons affected by this error. We feel the Backtrack distro is a great piece of software and wish muts and the rest of the team the best. "
Last edited by SephStorm on Fri Apr 13, 2012 6:13 am, edited 1 time in total.
sectestanalysis.blogspot.com/‎
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Fri Apr 13, 2012 6:50 am

Re: Backtrack 5 R2 priv escalation 0day found in CTF exercise

ok, after reading this it seems that it all got a little bit blown out of proportion. Perhaps an honest mistake even? Still the problem is fixed, now we just have to wait for the update in backtrack.
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Fri Apr 13, 2012 9:38 am

Re: Backtrack 5 R2 priv escalation 0day found in CTF exercise

j0rDy wrote:ok, after reading this it seems that it all got a little bit blown out of proportion. Perhaps an honest mistake even?


I think everyone's patience with ISI is still a bit thin after the relatively recent Corelan debacle.

SephStorm wrote:we incorrectly shortened the title and called it "Backtrack 5 R2 priv escalation 0day ", which is misleading and could lead people to believe the bug was actually in Backtrack.


That still seems obviously intentional. You don't accidentally make the same mistake on Twitter, Full Disclosure, here, the Backtrack Forums, etc.

It seems like ISI has a disconnect between the business side and the technical experts. I've worked at organizations like that before, and it's extremely frustrating. I imagine the news of someone discovering a vulnerability while working with Backtracking making it to someone in marketing or upper management, and once that happens, it's out of control and becomes an internet-wide embarrassment. I think it's important to distinguish the business itself from the individual professionals that work there and not disparage them personally. This situation was likely out of their hands (and most probably didn't find out about it until it was tweeted, etc.).

At the same time, a good instructor or (hopefully original) courseware doesn't excuse these types of mistakes. This whole situation was handled horribly. "Backtrack" attention-grabbing aside, they tweeted that they emailed muts a week before they released the news. First, you only give vendors a week to address vulnerabilities? Second, since they apparently new this was nothing specific to Backtrack, why are they emailing muts at all? Did they ever provide any notification to the wicd developers?

I think the worst part of all this is that the student elected to remain anonymous because they rushed this story to the figurative newsstand. That guy or gal got completely screwed. Who wouldn't want a feather in their cap for finding an exploit and writing a POC, even if it is rather trivial? Why not work with the developer, wait for an official patch to be released, and then post the write-up? It's even more ridiculous because the wicd guys could crank this patch out quickly; it's not like they'd be looking at an 18-month ETA from Oracle. Was this really such earth-shattering news that it couldn't wait a couple weeks?

Also, while this particular vulnerability was a non-issue, is this the type of disclosure we can expect from ISI? What if it was actually something serious? It seems a bit ironic to showcase this on their Ethical Hacking Training page.
The day you stop learning is the day you start becoming obsolete.
Next

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software