Critical Flaw Found In Backtrack Linux 84
chicksdaddy writes "Threatpost is reporting on a critical security flaw in the latest version of Backtrack Linux, a popular distribution that is used by security professionals for penetration testing. The previously undiscovered privilege escalation hole was discovered by a student taking part in an InfoSec Institute Ethical Hacking class, according to the post on the group's Web site. 'The student in our ethical hacking class that found the 0day was using backtrack and decided to fuzz the program, as well as look through the source code,' wrote Jack Koziol, the Security Program Manager at the InfoSec Institute. 'He found that he could overwrite config settings and gain a root shell.' An unofficial patch is available from InfoSec Institute. Koziol said that an official patch is being tested now and is expected shortly."
From what I heard (Score:5, Insightful)
Re:Usually you run as root (Score:3, Insightful)
Reading the TFA (this is
Re:Usually you run as root (Score:1, Insightful)
ClueOS GetLive Edition.
I wholeheartedly recommend it to you.
Re:In-band Signaling Considered Harmful (Score:3, Insightful)
Ummm.. fuck parent straight up the ass for that idiocy.
Validating your inputs is just one of many important parts of a complete security solution.
There is a good reason you'll find "Input Validation" given its own section starting on Page 5 of the OWASP Secure Coding Practices Quick Reference Guide [owasp.org].
But don't be too hard on CapOblivious2010 ... developers like that are the reason you'll still find plenty of work writing security code for decades to come.
Re:From what I heard (Score:4, Insightful)
wicd is network-manager without the sucking parts.
Re:From what I heard (Score:4, Insightful)
Unfortunately most of the people (I'd go as far as 95-99%) on the backtrack forums are neither pentesters nor good. They use wicd because they don't know how to edit a config file or run their own wpa_supplicant. Most of them go as far as trying to use BT for their regular day-to-day stuff. Idiots. But the backtrack team put up with them, so something like this becomes massive news.
I didn't see headlines when the wget vulnerability was in Backtrack 3...