A zero day exploit has been discovered in popular wireless Linux manager WICD that allows an attacker to spawn a root shell on a target machine.
The privileged escalation exploit affects the latest versions of WICD (pronounced wicked) and was successfully tested on a handful of Linux distributions including the latest release of the penetration testing operating system BackTrack.
It was not tested for remote exploitation vectors.
The exploit was discovered during a capture the flag competition by an anonymous student hacker at the InfoSec Institute in the US.
The hacker supplied a python version of the zero day, and a patch for WICD.
An Infosec Institute blog post warned that improper sanitisation of inputs in WICD's DBUS interfaces allowed an attacker to semi-arbitrarily write configuration options in the program's 'wireless-settings.conf' file.
That included defining scripts to execute during various internal events such as when connection to a WiFi network was established.
“Assuming that the WICD users computer is properly configured in so far that it can find wireless networks that are in range ... our executable should have executed as the root user via the WICD daemons beforescript feature, causing whatever havoc and death it desires to the local system," the post read.
The InfoSec Institute has extensive details on the exploit.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
