Info on the disclosure of the wicd 0day

April 13, 2011 by Infosec

Rel1k (Dave Kennedy) asked for a more detailed explanation as to the wicd disclosure / backtrack “0day” fiasco and we’re happy to explain.

We slipped up in wanting to show off how a student found an exploit in class (posted here). The truth was it was a critical exploit to Wicd, but a very minor vulnerability, if that, for Backtrack. What has been missed in all of this is that it is a real priv escalation 0day for distros that are used in multi user deployments, such as Arch, Debian, etc. Being in the security industry, the vuln was discovered on the BT5 distribution and unfortunately that was where we focused instead of placing the focus on wicd. We missed when we should have informed the wicd devs rather than (or in addition to) BT, that was honestly overlooked on our part.

The title of the advisory when we released it was (and still is) “wicd Privilege Escalation 0Day Tested against Backtrack 5, 5 R2, Arch distributions”, when we went to shorten this down to something digestible for email subject lines and tweets, we make a critical error in shortening it to “priv escalation 0day in Bactrack 5 R2”. This shortening is misleading and incorrect. We should have shortened the title to be “priv escalation 0day in wicd”.

 We know we’ve been playing catch-up with the security community and regret those misses as it negates the positives that could have been highlighted. In the future we will take a much more measured approach, and solicit the feedback of those that have released many advisories in the past prior to posting anything publicly.

Finally, we’d like to add that an incredible amount of good work has gone into Backtrack, and with every release it becomes more and more valuable to the security community. It was honestly our expectation that when we initially emailed them we would get a “wow, thanks” and we regret this comes off as malicious to them. ISI apologized to the entire backtrack team publicly on 4/12/12, and we would like to take this opportunity to apologize to mati and the backtrack again, and ask for forgiveness.

Posted: April 13, 2011
View Profile

Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training.