Oh good grief !
Are we really supposed to take this seriously ?
A security researcher has demonstrated how it might be possible to perform autorun-style attacks against weakly secured Linux PCs. Windows worms including Conficker and Stuxnet have often spread onto networks after infected USB sticks were plugged into PCs. This has happened automatically in cases where autorun was enabled, as …
To reply to some comments down the forum :
Even if the usb stick didn't automount the same/similar vulnerability would be triggered if the user then mounted it and used whatever flawed application.
The main problem here is that the file manager opened the usb stick automatically - that should never be allowed and indeed I don't think it is in most distributions.
If you turn off security measures and use a vulnerability in a product (that has already been patched) , then you might be able to do something to a linux box. ... wow I'm quaking in my boots.
The fact that he only explained how these security measures "might" be defeated is a bit weak - it reminds me of that bit in Independence Day when Jeff Goldblum's character says "all we need to do is fly up to their space ship, get past their defences and inject the virus".
Would you be impressed if a car security expert showed how someone can steal your car if they managed to work round the security systems, but declined to show you how that it could be done and instead had your car sitting there with the alarm and immobiliser turned off and the doors unlocked - just so he could make sure his demonstration went well?
What is not fine is launching applications to open the mounted drive and show you your pictures or sound files, but mounting the device and putting the icon on the desktop is a good thing as most users coming from the Windows world will have no clue how to mount a device. The same goes for the MacInfolk... and when it comes right down to it these users shouldn't have to know how to mount a block-device, but if they ever have the inclination to learn and understand what their computer is doing then they can.
The first time I saw one occurence was on an Amiga 500. Something like 1989, a funny message saying: "you have been infected ... by a virus !"
Quite uncommon malware time by today's standards ...
Anyway, it's a bit sad that some people still think autorun, in whatever OS and for whatever type of executable content, is a good idea.
/me fires up my Amiga emul to play Lemmings
This post has been deleted by its author
Something wonderful has happened
Your AMIGA is alive !!! and, even better...
Some of your disks are infected by a VIRUS !!!
Another masterpiece of The Mega-Mighty SCA !!
The original SCA virus for the Amiga, a boot block birus that would infect any non-write-protected floppy. I seem to recall running into that in the winter of 1987 on the Amiga 1000.
I almost fondly remember the "mouse inversion virus" of my old Atari ST...
after 5 replications (and this thing was so dumb that it overwrite itself each time you opened the volume), the vertical movements of the pointer was inverted... more funny than dangerous
Damn, I feel like a dinosaur :s
Another chink in the penguin's armour? Maybe not. If someone has physcial access, all bets are off. Really. And whilst I realise that users/admin will have had to have been pretty stupid to let this exploit work but let's face it, people *ARE* stupid (and I include myself). So there is only one answer - kill any form of autorun dead. Now.
The most *ANY* OS should do is mount the device and indicate, by some means, how the user can access it. That is all. No launch, no dialog, no guessing from content what is to be done, no offering to run a program, no bullshit. Just mount the fecker and be done with it.
"This device contains music, do you want to open it in RhythmBox?"
No. No I do chuffin' well not. It has videos, documents, pictures, encypted files and all sorts. Why not offer me an application for every media type on the drive, you stupid desktop.
Actually, here. Open this *thump*
"If someone has physcial access, all bets are off"
I totally agree... Like I said again and again during the kack about Windows controllers for SCADA systems being infected - if you run your system in such a way that it is open to the outside world, be that local ports available for someone to walk up and plug into, or improper network isolation/firewalling, you'll get hacked sooner or later. It doesn't matter if it's linux or Windows, Unix or even z/OS.
The problem then was that all the linux/unix zealots wouldn't hear any sense about Windows being basically ok for the job, if you take sensible precautions (banks successfully use XP as their ATM OS without being hacked left right and centre.) I suspect they'll come up with reasons that linux users shouldn't bother about this problem - like it's been patched already (therefore everyone uses that patch) or people know what they are doing on linux enough to not switch off the protection that would prevent this happening. Of course, everyone who uses linux knows it inside out and everyone who uses Windows is a knuckle dragger. Not sure where I fit mind, I use both am an expert in my specialist area on both and use whichever is most appropriate for the job in question...
While I am all for making Linux nice to use, that should not be at the expense of basic security!
Autorun was a dumb idea, and should not be copied in to Linux just because lazy/ignorant Windows users like it. In fact, running anything off USB should be disabled by default with root permissions to enable it.
Without trying to sound too condescending, anyone who does not know how to copy, change permissions, and manually start software has no business running new stuff in the first place. Someone needs to know how to set up and protect the PC, most of your company/family does not, and allowing any simple execution of code is a disaster waiting to happen.
You should always assume software has bugs and that users will do stupid things that may break an otherwise secure system.
Am I surprised? No.
Am I worried? No.
Is this anything new? No.
As long as people think about what they are doing they should be safe. Okay, it's requires a lot more work on some systems but the basics are always the same, complex systems have bugs...
It's doesn't matter that you and I know that Linux is the kernel, to everyone who isn't into OSes, Linux is the Unix like operating system usually Ubuntu, Fedora or Red Hat, all of which default to Gnome.
This sort of smug semantic argument is how systems can end up becoming insecure - A user of a system is told that a vulnerability he has heard of in Linux isn't actually Linux it's actually "blah blah blah" (normal people stop listening at this point) and so the user stops worrying about it. Whereas the vuln is actually with his desktop software. As far as most people are concerned the Kernel=The OS tools=The Windowing Environment=Everything bundled with it.
Having watched the video, it was interesting. To sum up, when a user inserts a USB, it auto-mounts (which is fine*), opens a nautilus windows (Gnome file browser) which in turn will try to generate thumbnail images of the files on the USB drive. There's skip-loads of code that could get run doing this though -- an example mentioned was the totem video thumbnailer which covers a large number of video formats and therefore has multiple code paths.
Net result - it's entirely likely the some thumbnailer code somewhere has vulnerabilities and can be exploited this way.
Yes an example did use evince (PDF viewer) which has been fixed, but they didn't side-step too much real-world code. If I recall correctly, I think he said that AppArmour doesn't cover evince by default anyway, and certainly apparmour didn't cover all thumbnailers. There were other mitigations, but none seemed absolutely water tight.
* Although possibly a malformed file-system could exploit a flaw in a FS driver if you can find one!
While it is very easy to dismiss this as impractical, I would disagree that it is not a serious issue to be considering. This specific exploit is obviously not at all practical in the real world, but it does raise an interesting point.
Huge numbers of exploits have been found in web browsers, allowing code to be executed when parsing a web page. Therefore it doesn't seem unlikely that vulnerabilities could be found in the various pieces of code that would be executed when a USB device is inserted.
This covers several several things, largely (but not only) on a desktop system. I don't claim to be an expert on this process, but I assume this would typically include: the USB enumeration code (think PS3 exploit), the mass storage device driver (disk size, device name, etc), partition table scanners (MBR, GPT).
Aftter this, on a desktop system, the system would also scan for known filesystems, read their labels, mount them, and scan for known types of content. Some systems may have also been accidentally or deliberately configured to open a file browser, which would include various file preview (thumbnail generation) tools.
What I am getting at is that it is not unlikely that vulnerabilities exist in one or more of these drivers and processes. Bearing in mind how many times browsers have been exploited, we shouldn't be complacent about other parts of the operating system.
Of course, I am not just talking about Linux. These things could be equally exploited in Windows, OSX.
@Paul Crawford regarding "Autorun was a dumb idea, and should not be copied in to Linux just because lazy/ignorant Windows users like it. In fact, running anything off USB should be disabled by default with root permissions to enable it."
This isn't really autorun, in the sense of old-skool-Windows stupidity of deciding to run some random executable off the CD (or USB stick). What this actually is is the file browser opening up, and generating thumbnail previews for stuff. By default nautilus will thumbnail various image and video formats, PDF and postscript files, and I think fonts. evince-thumbnailer is run to make PDF (and postscript) thumbnails, so that's where this exploit came in. Of course, thumbnailing can be turned off. My gentoo boxes don't automount either, and I'm sure that can be turned off on Ubuntu as well. To me, the big strength Ubuntu shows here (in common with quite a few distros) is the fast patch time for security vulnerabilities (in this example, the vulnerability he exploited has already been patched) -- no "patch Tuesday", flaws are patched pretty rapidly rather than giving malware writers a free month to exploit them; also, the package manager handles EVERYTHING on the system, so you're offered security updates for ALL your software, instead of some arbitrary subset that Microsoft's updater handles.
(Images -- at least JPEG, GIF, PNG, BMP, XPM, and TIF. Videos -- uses ffmpeg-thumbnailer so it'll handle almost nothing through almost everything, depending on what codecs you have installed.)
Automatically generating thumbnails is a restricted sort of autorun - it runs an executable, possibly containing known bugs, on input files under the control of an attacker. It's therefore an unsafe thing to do by default. Unsafe, but useful.
There may be sane half-way houses. Refuse to thumbnail any removeable device. Refuse to thumbnail any NTFS oir FAT filesystem. Refuse to thumbnail any file not owned by the user. Absolutely refuse to thumbnail if the user is root.
The trouble is that most non-root users are going to open a file with a reader to see what it is, even if the system doesn't automatically thumbnail it for them. Also they can unknowingly download an attack vector off the internet without involving a removeable device. Their web-browser is probably far more of a danger!
At the end of the day, at least on Linux your user is an unprivileged account. (Also just about possible on Windows, but very many users do everything with Administrator privilege on their own PC, whereas you have to be actively perverse to do that on Linux)
Linux, flakey? How dare you! I run Monkey-Spunk 10.23.4.2.1 and it's rock solid, once you've updated and enabled all the alternative distros, and removed blue-oubliette 5.1, natch (but who doesn't know to do that).
Don't use Monkey-Spunk 10.23.4.2.2 though, it's rubbish.
(A joke, but with a point...)
On the computer lab, they put a dual-boot system with Windows XP on one side and Mandrake Linux on the other. If a USB drive was plugged in during Linux bootup, a text interface would pop up asking where to mount the device. If cancelled, it showed an assistant for the partition editor running with full root privileges. The obvious and easier thing to do was deleting partitions, which rendered the computer unusable until repaired. I told this issue to the local BOFH, who didn't care at all.
As there was a lot more demand for XP than for Linux, having a computer unable to boot Windows was very useful to avoid waiting for a computer to be available. They eventually fixed the issue when upgraded the whole Linux system about a year after.
I have gotten several of my friends to switch to Linux, and most of them have stuck with it. Once of the benefits is greatly improved security... but I also tell them NOTHING IS 100% BULLETPROOF. Your browser can still get hacked and the bad guys can romp in your runspace. As we've seen here, malformed code can do bad things. Of course, the good news is that even if they get in they're not running as root! (Yes I know--you can run as non-admin on Windows. As a Windows system administrator who did get his users to run without admin rights, I can tell you it's easier to get a home user to switch to Linux than explain all the tweaks and fixes for not running as admin) So........ patch your boxes, use your apps carefully, and rest assured that at least the bad guys will have to work harder, even if they get in, to really pwn your box.
Thanks for the clarification, though my Ubuntu set-up did offer the option to start software it found.
Thankfully not starting by default, but most users won't think twice when offered! I changed the Nautilus settings (Edit -> Preferences -> Media) to "do nothing" but wish there was an easy way to impose such changes system-wide on all user's profiles to begin with.
What bothers me a bit is the default for mounting FAT/NTFS formatted drives (i.e. virtually all USB sticks, etc) where the permissions are 755 (i.e. everything is executable). That should be disabled so files are 644 and directories 755.
While accepting that nothing can be completely safe, I would like to see no-execute on external media (maybe an enable button so you can run CDs?) and only a few specific app-armour shielded applications being allowed to preview the contents.
Biting the hand that feeds IT © 1998–2020