A zero day exploit has been discovered in popular wireless Linux manager WICD that allows an attacker to spawn a root shell on a target machine.
The privileged escalation exploit affects the latest versions of WICD (pronounced wicked) and was successfully tested on a handful of Linux distributions including the latest release of the penetration testing operating system BackTrack.
It was not tested for remote exploitation vectors.
The exploit was discovered during a capture the flag competition by an anonymous student hacker at the InfoSec Institute in the US.
The hacker supplied a python version of the zero day, and a patch for WICD.
An Infosec Institute blog post warned that improper sanitisation of inputs in WICD's DBUS interfaces allowed an attacker to semi-arbitrarily write configuration options in the program's 'wireless-settings.conf' file.
That included defining scripts to execute during various internal events such as when connection to a WiFi network was established.
“Assuming that the WICD users computer is properly configured in so far that it can find wireless networks that are in range ... our executable should have executed as the root user via the WICD daemons beforescript feature, causing whatever havoc and death it desires to the local system," the post read.
The InfoSec Institute has extensive details on the exploit.
Copyright © SC Magazine, Australia
Issue: 315 | May 2013
Access CRN's extensive online resources including; email bulletins, community discussions and unique online news.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can log on to the CRN website or start posting comments on articles.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain '@crn.com.au' to your white-listed senders.