Critical Flaw Found In Backtrack Linux

chicksdaddy writes "Threatpost is reporting on a critical security flaw in the latest version of Backtrack Linux, a popular distribution that is used by security professionals for penetration testing. The previously undiscovered privilege escalation hole was discovered by a student taking part in an InfoSec Institute Ethical Hacking class, according to the post on the group's Web site. 'The student in our ethical hacking class that found the 0day was using backtrack and decided to fuzz the program, as well as look through the source code,' wrote Jack Koziol, the Security Program Manager at the InfoSec Institute. 'He found that he could overwrite config settings and gain a root shell.' An unofficial patch is available from InfoSec Institute. Koziol said that an official patch is being tested now and is expected shortly."

it appears

[koan]

Backtrack repository has the fix already.

Re:Penetration testing

[antant007]

Ya, I foolishly did. Don't do it.

Re:Usually you run as root

[rgbrenner]

* BackTrack is a Live DVD - when you finish using it, everything is wiped out.
* It's not a server OS
* It's not a desktop OS
* It's an OS for a specific purpose.. you use it for pentesting, and then stop using it.

I don't see what the issue is.

Re:Usually you run as root

[hobarrera]

Why? They do network penetration testing, not priviledge escalation tests; they're totally unrelated.
No-one expects BT to be safe, it's an "offensive" tool, not one used to secure anything.

Need local access to exploit it...

[seifried]

You need to be able to send arbitrary Dbus messages, so you need either local access or to remotely compromise the system (in which case you already won). This article is ridiculous and much ado about nothing.

This is a complete

[jakeguffey]

non-issue. According to the advisory, this particular issue "Spawns a root shell [and h]as not been tested for potential remote exploitation vectors." As has been stated multiple times earlier already, BT is generally used as root locally and (until someone determines remote exploitability) this is a local-only exploit. TFS is wrong. This is not a "critical flaw in BT," but a flaw in WICD that allows privilege escalation. Still something that definitely needs fixed, but if someone has local access to your box, you can pretty much assume they already have root.

Move along, nothing to see here

[Anonymous Coward]

From the official response (http://www.backtrack-linux.org/forums/showthread.php?t=49411):

This post is a bad example of a bug report, for several reasons.

1) The title of this vulnerability should probably be "WICD Priv Escalation". As such, it should probably be reported to the WICD developers, as opposed to the BackTrack development team. If you still felt the bug report should be posted to us, the right place to post it would be "BackTrack bugs" (although it is not), or even better, our redmine ticket system.

2) Giving the pre-requisites for the exploit to function would be helpful. In this case, you would need to create a non root user in BackTrack, have a remote attacker access BT with that non privileged account or have an unprivileged shell from a previous attack against another service, and then have that user attempt to connect to a wireless access point (assuming wicd is running as root). This is far from the default configuration in BackTrack, which further negates the title of this vulnerability.

3) Making a mountain out of a molehill for the purpose of promoting a product or service is generally frowned upon by the security industry, especially when one already has a bad reputation.

4) Once this bug is tended to by the WICD developers, we will use their official patch rather than patching our packages using untrusted sources.