A student from Infosec Institute managed to find a zero-day vulnerability in Wireless Interface Connection Daemon(WICD) affecting the Backtrack 5.
The discovery has been published on InfoSec's own website and detailed by the student himself, who says that the Wireless Interface Connection Daemon (WICD) has several design flaws that can be misused to execute a privilege escalation exploit.
The discovery has been published on InfoSec's own website and detailed by the student himself, who says that the Wireless Interface Connection Daemon (WICD) has several design flaws that can be misused to execute a privilege escalation exploit.
Improper sanitization of the inputs in the WICD's DBUS interfaces allows an attacker to (semi)arbitrarily write configuration options in WICD's 'wireless-settings.conf' file, including but not limited to defining scripts (executables actually) to execute upon various internal events (for instance upon connecting to a wireless network).At the first , researchers incorrectly named the vulnerability as "Backtrack 5 R2 priv escalation 0day ". Later realized the mistake and change the name to "wicd Privilege Escalation 0Day". They apologized for the confusion to the Backtrack team and any other persons affected by this error.
These scripts execute as the root user, this leads to arbitrary code/command execution by an attacker with access to the WICD DBUS interface as the root user.
"To summarise, we believe that the intentional misrepresentation of this bug report has discredited BackTrack unecessarily in the eyes of those who do not understand the underlying mechanisms of our OS, and also discredited the Infosec Institute in the eyes of those who do." Backtrack commented on this issue.The wicd team has released a new version that fixes this bug (CVE-2012-2095).